Joe:
> The detached .asc signature file for linux-64 is
> "tor-browser-linux64-7.5.5_en-US.tar.xz.asc"
> GPG complains it can't verify:
>
> gpg: can't open `tor-browser-linux64-7.5.5_en-US.tar.xz.asc'
> gpg: verify signatures failed: file open error
>
> Was a different key used to sign TBB 7.5.5 (linux64) than used for 7.5.3?
>
> Note: it says "can't open the .asc file," not that it's a bad signature.
> The files are in the same directory in my ~/Downloads directory.
> TBB D/L version 7.5.3 verifies OK with the .asc file on Tor Project's
> D/L page. I checked it again today, using the same GPG version on my
> system.
>
> I'm not sure if it has to do with the GnuPG version that Tor Project
> used to sign the file & create the detached signature and my gpg
> version, 1.4.20, or another key that I don't have was used to sign this
> time ?
>
> The TBB 7.5.5 .asc file (nor v7.5.3) doesn't show the GnuPG version used
> , like often seen in other .asc files, e.g., "Version: GnuPG v2.0.14."
Yes, that's a feature. If you are interested
https://riseup.net/en/security/message-security/openpgp/best-practices
has some hints on how to improve your GnuPG setup.
> I verify signed files all the time (that used GnuPG 2.0.x to sign) & GPG
> never complained it "couldn't open a signature file" with the same
> naming convention as the v7.5.5 program file and its .asc file.
What does
gpg --verify tor-browser-linux64-7.5.5_en-US.tar.xz.asc
tor-browser-linux64-7.5.5_en-US.tar.xz
say in your terminal?
Georg
signature.asc
Description: OpenPGP digital signature
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
