Hi everyone. I’m verifying TOR and think I have it done but am a little uncertain about one aspect. I’m following their guide: How can I verify Tor Browser's signature? | Tor Project | Support
So I Imported the Tor Browser Developers signing key, which worked as they said it would. I then saved the key to a file, which worked and the file was where they said it’d be.
i then used the command as instructed by them - which asked GnuPG to verify the signature, which it did and it said good signature from TOR browser developers. So, all good? I think so but then it goes on about refreshing the key.
do i need to do this, refresh the key? I ask as the rest of the instructions don’t then explain what to do once the key has been refreshed. Is it an unneccessary step? I’m in no rush - I want to do this the right way.
Also, is there a way to verify TOR again after it updates itself? Is there even a need? If it was verified when downloaded initially, is that enough?
Another thing: i downloaded it initailly from their official site in around December 2024. for reasons I won’t go into, i didn’t verify and install it until maybe March 2025 or so. Would this time lag be of concern? Did I verify an old copy? Should I have gotten the latest and verified that instead?
I’m satisfied that no-one interfered with my laptop during that period. Obviously someone could have over the internet, or even physically in my house if they accessed it, but I’ll take that risk.
Big thank you to the entire TOR community - the developers, the people running the relays, the ordinary user, everyone here on the forum. This is such a great tool to have and it’s much appreciated.
Cheers everyone.
Kali Linux 2024.2
TOR 14.5.1 (64 bit)