Digital signature is a process ensuring that a certain package was generated by its developers and has not been tampered with.Below we explain why it is important and how to verify that the Tor Browser you download is the one we have created and has not been modified by some attacker.
Each file on our download page is accompanied by a file labelled 'signature' with the same name as the package and the extension '.asc'. These .asc files are OpenPGP signatures.They allow you to verify the file you've downloaded is exactly the one that we intended you to get.This will vary by web browser, but generally you can download this file by right-clicking the 'signature' link and selecting the 'save file as' option.
torbrowser-install-win64-9.0_en-US.exe is accompanied by
torbrowser-install-win64-9.0_en-US.exe.asc.These are example file names and will not exactly match the file names that you download.
We now show how you can verify the downloaded file's digital signature on different operating systems.Please notice that a signature is dated the moment the package has been signed.Therefore every time a new file is uploaded a new signature is generated with a different date.As long as you have verified the signature you should not worry that the reported date may vary.
First of all you need to have GnuPG installed before you can verify signatures.
Search for Tor Browser, then click on the relevant result: Tor Browser in Ubuntu Software. Then, click Install. After entering your password, the installation process will start. When it ends, click Launch to start Tor Browser. Installing Tor Browser via the Terminal, from the downloaded package. If preferred, Tor Browser may be made portable by extracting it from its archive directly onto removable media such as a USB stick or SD card. It is recommended to use writable media so that Tor Browser can be updated as required. Feb 20, 2018 Have your USB drive with at least 4Gb of memory on it ready (everything will also be deleted off this one as well) and click on the 'Install by cloning' button. Plug in the device and wait for it to appear in the 'Target Device' drop-down list, once it does click on it.
For Windows users:
If you run Windows, download Gpg4win and run its installer.
In order to verify the signature you will need to type a few commands in windows command-line,
For macOS users:
If you are using macOS, you can install GPGTools.
In order to verify the signature you will need to type a few commands in the Terminal (under 'Applications').
For GNU/Linux users:
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.
Fetching the Tor Developers key
The Tor Browser team signs Tor Browser releases.Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
This should show you something like:
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
This command results in the key being saved to a file found at the path
./tor.keyring, i.e. in the current directory. If
./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Verifying the signature
To verify the signature of the package you downloaded, you will need to download the corresponding '.asc' signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your 'Downloads' folder.Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.
For Windows users:
For macOS users:
For GNU/Linux users (change 64 to 32 if you have the 32-bit package):
The result of the command should produce something like this:
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
Workaround (using a public key)
If you encounter errors you cannot fix, feel free to download and use this public key instead. Alternatively, you may use the following command:
Tor Browser Developers key is also available on keys.openpgp.org and can be downloaded from https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.If you're using MacOS or GNU/Linux, the key can also be fetched by running the following command:
$ gpg --keyserver keys.openpgp.org --search-keys [email protected]
Tor Browser Usb
You may also want to learn more about GnuPG.