"Signature Verification Failed" in Tor Browser Launcher

Parrot Security Mate 4.10 installed on encrypted persistent thumb drive.

I’ve been trying to download Tor via the Tor Browser Launcher Settings application, but no matter what mirror I choose, I get a “Signature Verification Failed!” message after the tor-browser archive finishes downloading.

I spent time looking for an answer via Google, and even the Parrot OS documentation tor fix did not work.

I would remove the previous failed verification files and try it again over and over, using the default mirror and others. The system clock is set correctly. These are the additional key commands I tried, which did not work.

gpg --homedir “$HOME/.local/share/torbrowser/gnupg_homedir/” --refresh-keys --keyserver pgp.mit.edu

gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf | gpg --import -

I appreciate any assistance or insight to this issue.

The problem is Tor Browser updated GPG key and

                              '--homedir', self.paths['gnupg_homedir'],
                              '--keyserver', 'hkps://keys.openpgp.org',
                              '--refresh-keys'], stderr=subprocess.PIPE)

This is source code of launcher and the server seems using the old key only which causes error

This command get the latest gpg key into user’s machine
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
But… the gpg key of tor browser is locating at different path

1 Like

Okay it worked on my VM:

  1. gpg --homedir ~/.local/share/torbrowser/gnupg_homedir --delete-keys torbrowser@torproject.org
  2. gpg --homedir ~/.local/share/torbrowser/gnupg_homedir --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

P/s: Torbrowser-launcher needs gpg2
sudo apt install gnupg2

2 Likes

Thank you for your time and assistance dmknght!

I followed your directions and now have Tor Browser installed and working. :grinning:

It is good to hear that. I’m testing different way to solve it and hope it will be easier.

Change gpg2 to gpg doesn’t help. I think the problem is the server. the only way to fix the launcher project is editing refresh signature command.

1 Like

The steps mentioned above currently fail.

The launcher states that tor is newer than expected,
therefore assuming an attack.

Maybe a new issue?

1 Like

Yes it is new issue. If you check newer topics in community you’ll see the solution.

1 Like

The link to solution is here.

I verified it works after adding to launcher.py as sudo at line 420.

        for xMin, xInstalled in zip(self.min_version.split("."), installed_version.split(".")):
            if int(xMin) < int(xInstalled):
                return True