TOR GPG-VERIFICATION MADE EASY (Linux Edition)

This is PART-02 of The DarkNet Diaries series.

In this post you'll simply learn how to download & verify a TOR-Browser download via GPG [GPG = GNU Privacy Guard].
GPG verification is a rock-solid method of verifying files for their authenticity & it has a steep learning curve; but don't worry I'll try my best to at least show you how to verify your TOR-Browser downloads. [Please DO know that this will be a LINUX-ONLY guide]
GPG is a Command-Line [AKA Terminal] tool, eventhough there are Graphical tools like kleopatra or GPG4Win, these are available only for windows for now, plus their functionalities are limited & GPG being a terminal tool adds to it's steep learning curve, so let's make it easy to understand shall we.

Each file on the download section of TOR-Browser's Website is accompanied by a file labelled signature with the same name as the package and the extension .asc These ".asc" files are OpenPGP-Signatures. They allow you to verify that the file you've downloaded is exactly the one that TOR-project intended you to get.

E.g:- tor-browser-linux64-11.5.2_en-US.tar.xz is accompanied by tor-browser-linux64-11.5.2_en-US.tar.xz.asc [These are example file names and will not exactly match the file names that you download.]

VERIFICATION STEPS IN LINUX

  1. INSTALLING GPG

    2. First of all you need to have GPG installed before you can verify signatures.
    If you are using GNU+Linux, then you probably already have GPG in your system, as most GNU/Linux distributions come with it Pre-Installed OR you can install it with your Package-Manager.

  2. FETCHING TOR DEVELOPER'S KEY

    3. The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key by using the command:-

    gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

    This should show you something like this:-

    gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) 
sub rsa4096 2018-05-26 [S] [expires: 2023-09-17]

    Here; EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 is the FINGERPRINT
    & Then; After importing the key, you can save it to a file [Via identifying it by it's FINGERPRINT] here:-

    gpg --output ./tor.keyring --export 0xFINGERPRINT

    Here, you simply substitute FINGERPRINT with your own.

  3. VERIFYING THE TOR'S SIGNATURE

    4. To verify the signature of the package you downloaded, you will need to download the corresponding .asc Signature-File as well as the "Installer-File" itself & verify it with a command that asks GPG to verify the file that you downloaded.
    For GNU/Linux users [change 64 to 32 if you have the 32-bit package] & then use this command:-

    gpgv --keyring ./tor.keyring ~/FOLDER/tor-browser-linux64-VERSION.tar.xz.asc ~/FOLDER/tor-browser-linux64-VERSION.tar.xz

    Simply replace/substitute VERSION with the version number of the package/software you downloaded.
    It would be better if you put the .asc-File & the Installer-File [A Tar compressed File in case of GNU/Linux] in ONE folder & THEN run the above-mentioned command.

    THE RESULT OF THE COMMAND SHOULD BE SOMETHING LIKE THIS 🠮

    gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight Time
gpgv:                using RSA key EB774491D9FF06E2
gpgv: Good signature from "Tor Browser Developers (signing key) "

    If you get error messages containing "No such file or directory", Either something went wrong with one of the previous steps, OR you forgot that these commands use example file names & YOURS WILL BE DIFFERENT.
    YOU ARE LOOKING FOR THE MESSAGE "Good signature".