On 2020-03-02 07:58, Georg Koppen wrote:
Hans Vader:
Dear TOR people,
I have a question regarding the updating mechanism of tor browser from
within the browser.
These updates are signed I stronly suppose. I would like to know, does
checking these signatures depend on external programs like gpg? Is the
signature verification application for updates part of the browser
bundle itself?
For updates we essentially use the Firefox updater and, yes, we are
signing the update files.
Thanks for explaining.
Have there ever been serious flaws in that signature verification
mechanism?
Would you regard it safe enough for the paranoid among us or would you
advise to better download the full package and do the standard pgp
verification? I read from some people who only do the latter and donĀ“t
use the builtin updater.
Thanls
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
