Joe: > The detached .asc signature file for linux-64 is > "tor-browser-linux64-7.5.5_en-US.tar.xz.asc" > GPG complains it can't verify: > > gpg: can't open `tor-browser-linux64-7.5.5_en-US.tar.xz.asc' > gpg: verify signatures failed: file open error > > Was a different key used to sign TBB 7.5.5 (linux64) than used for 7.5.3? > > Note: it says "can't open the .asc file," not that it's a bad signature. > The files are in the same directory in my ~/Downloads directory. > TBB D/L version 7.5.3 verifies OK with the .asc file on Tor Project's > D/L page. I checked it again today, using the same GPG version on my > system. > > I'm not sure if it has to do with the GnuPG version that Tor Project > used to sign the file & create the detached signature and my gpg > version, 1.4.20, or another key that I don't have was used to sign this > time ? > > The TBB 7.5.5 .asc file (nor v7.5.3) doesn't show the GnuPG version used > , like often seen in other .asc files, e.g., "Version: GnuPG v2.0.14."
Yes, that's a feature. If you are interested https://riseup.net/en/security/message-security/openpgp/best-practices has some hints on how to improve your GnuPG setup. > I verify signed files all the time (that used GnuPG 2.0.x to sign) & GPG > never complained it "couldn't open a signature file" with the same > naming convention as the v7.5.5 program file and its .asc file. What does gpg --verify tor-browser-linux64-7.5.5_en-US.tar.xz.asc tor-browser-linux64-7.5.5_en-US.tar.xz say in your terminal? Georg
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
