Verifying Tor Browser - some general questions. Did I do it right?

Support Tor Browser Desktop
1

Hi everyone. I’m verifying TOR and think I have it done but am a little uncertain about one aspect. I’m following their guide: How can I verify Tor Browser's signature? | Tor Project | Support

So I Imported the Tor Browser Developers signing key, which worked as they said it would. I then saved the key to a file, which worked and the file was where they said it’d be.

i then used the command as instructed by them - which asked GnuPG to verify the signature, which it did and it said good signature from TOR browser developers. So, all good? I think so but then it goes on about refreshing the key.

do i need to do this, refresh the key? I ask as the rest of the instructions don’t then explain what to do once the key has been refreshed. Is it an unneccessary step? I’m in no rush - I want to do this the right way.

Also, is there a way to verify TOR again after it updates itself? Is there even a need? If it was verified when downloaded initially, is that enough?

Another thing: i downloaded it initailly from their official site in around December 2024. for reasons I won’t go into, i didn’t verify and install it until maybe March 2025 or so. Would this time lag be of concern? Did I verify an old copy? Should I have gotten the latest and verified that instead?

I’m satisfied that no-one interfered with my laptop during that period. Obviously someone could have over the internet, or even physically in my house if they accessed it, but I’ll take that risk.

Big thank you to the entire TOR community - the developers, the people running the relays, the ordinary user, everyone here on the forum. This is such a great tool to have and it’s much appreciated.

Cheers everyone.

Kali Linux 2024.2
TOR 14.5.1 (64 bit)

2

Oops, did I do the noob thing of coming along and asking for endless reassurance when doing something relatively straightforward? My apologies if I did. I just got myself in knots over privacy.

3

If you received Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" in the console which seems like what you did, yes, is all good.

You will have to refresh the GPG key from time to time to fetch the new subkeys. The subkeys used to sign Tor Browser releases are rotated from time to time.

Whenever Tor Browser updates itself - it should verify the update automatically, else fail. Refer to “The Design and Implementation of Tor Browser” for more details about the design and safety considerations for Tor Browser updates.

It should be fine, if the GPG verification succeeded.
But in general, I’d consider it a best practice to download the latest Tor Browser binary from the website and then verify before installing.

2 Likes
4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

5

Thanks so much for the help ebanam - it is much appreciated. I have one more question regarding refreshing the key. If, as in my case, I’ve received the “good signature from TOR browser developers” message in the console, why would I then need to refresh the key? I’m thinking I wouldn’t need to - am I right? Is it only if i was going about verifying a copy of TOR for the first time? I’m confused on this point.

Many thanks once again

6

Yep, for the current install of Tor Browser, which you have successfully verified and installed you don’t need to do anything further.

On the same machine, if you manually reinstall the browser at some point in the future and go through verifying the Tor Browser download file, you can skip the part to import the Tor Browser Developer’s GPG key (it’s already in your local GPG keyring!) and just refresh the key to fetch any new subkeys.

2 Likes