Opened 3 years ago

Closed 3 years ago

Last modified 20 months ago

#21238 closed defect (invalid)

tor-messenger-linux32-0.3.0b2 BAD signature

Reported by: BobSmith Owned by:
Priority: Very High Milestone:
Component: Archived/Tor Messenger Version: Tor: unspecified
Severity: Blocker Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:



I was trying to verify signature of Tor Messenger 0.3.0 beta and got BAD signature:
#Import the key
gpg --keyserver --recv-keys 0xB01C8B006DA77FAA
Fingerprint OK
gpg --fingerprint 0xB01C8B006DA77FAA
pub 4096R/0xB01C8B006DA77FAA 2016-02-25 [expires: 2020-02-24]

Key fingerprint = E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA

uid [ unknown] Sukhbir Singh <azadi@…>
uid [ unknown] Sukhbir Singh <sukhbir@…>
sub 4096R/0x1AF20C043D9F9289 2016-02-25 [expires: 2020-02-24]


gpg --verify sha256sums-signed-build.txt.asc tor-messenger-linux32-0.3.0b2_en-US.tar.xz
gpg: Signature made Wed 28 Dec 2016 01:22:29 PM UTC
gpg: using RSA key 0xB01C8B006DA77FAA
gpg: BAD signature from "Sukhbir Singh <azadi@…>" [unknown]

Files were downloaded from here:


Child Tickets

Change History (2)

comment:1 Changed 3 years ago by arlolra

Resolution: invalid
Status: newclosed

It looks like your problem is in this line,

gpg --verify sha256sums-signed-build.txt.asc tor-messenger-linux32-0.3.0b2_en-US.tar.xz

that should just be,

gpg --verify sha256sums-signed-build.txt.asc

and you'll need to download the corresponding sha256sums-signed-build.txt file.

Then you'll want to run,

shasum -a 256 tor-messenger-linux32-0.3.0b2_en-US.tar.xz

and verify that sha you get is in that sha256sums-signed-build.txt file.

Hope that helps.

This procedure is covered here,

comment:2 Changed 20 months ago by traumschule

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true:

luckily there are alternatives:

.. and maybe someday

Note: See TracTickets for help on using tickets.