For many days now: "ERROR: Digital signature (GPG) could NOT be verified. Tor Browser update failed! Try again later. "

Hello

I can’t seem to update the Tor browser in whonix-ws-16 template (13.0.9 → 13.0.10). It always fails at signature verification. It says the key has expired.

However, I can update the browser in a disposable whonix-ws-16-dvm session - the browser does it automatically.

I have always updated the whonix-ws-16 template before I attempt using the Tor Browser Downloader tool EDIT: via the Qubes Updater tool, whether it is indicated (i.e. a tick in the box) or not. (Inspired by
previous discussions here).

I just don’t know how to fix this. Why aren’t keys being updated with a template update? (Supplementary question - how is it working via Tor browser in a disposable whonix-ws-16-dvm instance?)

Error output follows:

ERROR: Digital signature (GPG) could NOT be verified. 
Tor Browser update failed! Try again later. 
gpg_bash_lib_output_alright_status: false 
gpg_bash_lib_output_failure: 
gpg_bash_lib_output_diagnostic_message: 
gpg_bash_lib_internal_gpg_verify_status_fd_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox '/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.kbx' created
gpg: /var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Tue 20 Feb 2024 12:22:18 PM UTC
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1708337812
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1708337812
[GNUPG:] SIG_ID Dv6ryFYw4jPrC0jxlQEdvXbm4tE 2024-02-20 1708431738
[GNUPG:] KEYEXPIRED 1708337812
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] EXPKEYSIG E53D989A9E2D47BF Tor Browser Developers (signing key) 
[GNUPG:] VALIDSIG 613188FC5BE2176E3ED54901E53D989A9E2D47BF 2024-02-20 1708431738 0 4 0 1 10 00 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
[GNUPG:] KEYEXPIRED 1708337812
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1708337812
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

Did you try updating the template via the Qubes Updater first? This issue is known and has been fixed, at least for Whonix 17, but the fix is applied via template update.

Sorry, I thought I had made that clear (edited now).

Yes, I have updated the template every time via Qubes Updater, even if it wasn’t indicated (with a tick in the box).

Then it seems the fix hasn’t (yet?) been backported to Whonix 16. Might I suggest posting your report on the Whonix forum? Whonix is an integrated component of QubesOS, but the core Qubes developers don’t really deal with such Whonix-specific issues.

Actually, this is my own stupid fault for not keeping up with update notices:

1. Whonix 16 is EOL since January.

–2. From that announcement, it seems “that Whonix 17 is available only on Qubes OS 4.2.”

3. There is a Whonix 17 now made available for Qubes 4.1.x

Ah yes, I had forgotten about that, good catch. You best upgrade then; this issue is fixed on Whonix 17.

thanks for your help