Opened 10 months ago

Closed 9 months ago

#24683 closed defect (invalid)

Sig file verification fail

Reported by: xninaznx Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Received

gpg: Signature made Fri Dec 8 05:00:23 2017 EST
gpg: using RSA key D1483FA6C3C07136
gpg: BAD signature from "Tor Browser Developers (signing key) <torbrowser@…>" [unknown]

for sig file found on latest OS version of the browser download from https://www.torproject.org/download/download-easy.html.en

Please update sig file

Child Tickets

Attachments (1)

TorBrowser-7.0.11-osx64_en-US.dmg.asc (801 bytes) - added by xninaznx 10 months ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 10 months ago by gk

Component: Core TorApplications/Tor Browser
Owner: set to tbb-team
Priority: ImmediateMedium
Severity: BlockerMajor
Status: newneeds_information

Which bundle is that? I just rechecked the signatures on our server and they seem to be fine to me. Can you compute the SHA-256 sum of the bundles you downloaded and post it here?

comment:2 Changed 10 months ago by xninaznx

Sorry, I'm not sure how to do that. I used GPG to import your key and tried to verify the sig file in a terminal.

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
gpg: key 4E2C6E8793298290: 41 duplicate signatures removed
gpg: key 4E2C6E8793298290: 141 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 1 signature reordered
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@…>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
z:~ n$ gpg --fingerprint 0x4E2C6E8793298290
pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]

EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290

uid [ unknown] Tor Browser Developers (signing key) <torbrowser@…>
sub rsa4096 2016-08-24 [S] [expires: 2018-08-24]

z:~ n$ gpg --verify ~/Downloads/TorBrowser-7.0.11-osx64_en-US.dmg{.asc*,}
gpg: Signature made Fri Dec 8 05:00:23 2017 EST
gpg: using RSA key D1483FA6C3C07136
gpg: BAD signature from "Tor Browser Developers (signing key) <torbrowser@…>" [unknown]

Changed 10 months ago by xninaznx

comment:3 Changed 10 months ago by boklm

If you are running macOS, to get the sha256sum of a file, you can run this command:

shasum -a 256 TorBrowser-7.0.11-osx64_en-US.dmg

This is the sha256sum I have:

5143e4a2141a69f66869be13eef4bcaac4e6c27c78383fc8a4c38b334759f3a2  TorBrowser-7.0.11-osx64_en-US.dmg

And I can verify this file with the gpg signature.

comment:4 Changed 10 months ago by xninaznx

I didn't get that response, I got:

z:~ n$ shasum -a 256 TorBrowser-7.0.11-osx64_en-US.dmg
shasum: TorBrowser-7.0.11-osx64_en-US.dmg:

comment:5 in reply to:  4 ; Changed 10 months ago by catalyst

Replying to xninaznx:

I didn't get that response, I got:

z:~ n$ shasum -a 256 TorBrowser-7.0.11-osx64_en-US.dmg
shasum: TorBrowser-7.0.11-osx64_en-US.dmg:

That's the sort of output that might result if shasum can't find the file. Are you running that in the same directory that contains the .dmg file? Your prompt implies your current directory is ~ not ~/Downloads which is the directory that your previous comments imply you downloaded the file to.

comment:6 Changed 10 months ago by xninaznx

Thanks for pointing that out. new output

52daf2edb60735cb804abdc53cdd945704bf1072fcc682609ae2f0b2a09b64d8 TorBrowser-7.0.11-osx64_en-US.dmg

comment:7 in reply to:  5 ; Changed 10 months ago by xninaznx

Replying to catalyst:

Replying to xninaznx:

I didn't get that response, I got:

z:~ n$ shasum -a 256 TorBrowser-7.0.11-osx64_en-US.dmg
shasum: TorBrowser-7.0.11-osx64_en-US.dmg:

That's the sort of output that might result if shasum can't find the file. Are you running that in the same directory that contains the .dmg file? Your prompt implies your current directory is ~ not ~/Downloads which is the directory that your previous comments imply you downloaded the file to.

Is this output valid?
52daf2edb60735cb804abdc53cdd945704bf1072fcc682609ae2f0b2a09b64d8 TorBrowser-7.0.11-osx64_en-US.dmg

comment:8 in reply to:  7 Changed 10 months ago by boklm

Replying to xninaznx:

Is this output valid?
52daf2edb60735cb804abdc53cdd945704bf1072fcc682609ae2f0b2a09b64d8 TorBrowser-7.0.11-osx64_en-US.dmg

No, it is not the correct file. There might have been a problem when downloading the file. Maybe the download was interrupted?

Can you try downloading it again to see if you still get the same file?

The correct file should be:

5143e4a2141a69f66869be13eef4bcaac4e6c27c78383fc8a4c38b334759f3a2  TorBrowser-7.0.11-osx64_en-US.dmg

comment:9 Changed 9 months ago by gk

Resolution: invalid
Status: needs_informationclosed

Seems the download got corrupted, so this is not a bug.

Note: See TracTickets for help on using tickets.