[Pkg-anonymity-tools] Bug#756193: seems not to properly verify download
Holger Levsen
holger at layer-acht.org
Sun Jul 27 11:31:20 UTC 2014
package: torbrowser-launcher
severity: important
tags: upstream
Hi,
when running torbrowser-launcher I just saw this:
Running task: download_tarball
Downloading https://www.torproject.org/dist/torbrowser/3.6.3/tor-browser-
linux64-3.6.3_en-US.tar.xz
Updating over Tor
Finished receiving body: Response body fully received
Running task: verify
Verifying signature
gpg: Signature made Thu Jul 24 10:45:33 2014 CEST using RSA key ID 0E3A92E4
gpg: Good signature from "Mike Perry (Regular use key)
<mikeperry at torproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC
Subkey fingerprint: D734 B622 C7B5 D164 D665 0CB8 717F 1F13 0E3A 92E4
Running task: extract
Extracting tor-browser-linux64-3.6.3_en-US.tar.xz
Running task: run
Running /home/foo/.torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser
So it _seems_ there gpg cannot verify the download!
If that's really the case, it's horrible. If it's just a wrong warning, it
still should be fixed as we dont want to train users to ignore security
warnings :-/
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20140727/01461b20/attachment.sig>
More information about the Pkg-anonymity-tools
mailing list