Tor Browser Downloader Error: “GPG download signature could NOT be verified”

A week ago I was testing 4.1 and got this error trying to download tor browser update in a whonix ws template. Today I also got the same error after a fresh install of 4.0.4. I tried to work around it by updating whonix ws thorough the qubes-dom0-update but the tor browser downloader still gives the error “GPG download signature could NOT be verified” I’m assuming I could manually install a GPG key and will try to do that. I would appreciate if someone might know of an easy fix for this.

I just got an update (thought I had updated it already) and it seems to be working now. I Should have tried to update whonix ws twice.

1 Like

(made title more specific about the issue)

Having same issue, output below:

ERROR: Digital signature (GPG) could NOT be verified. 
Tor Browser update failed! Try again later. 
gpg_bash_lib_output_alright_status: 
gpg_bash_lib_output_failure: 
gpg_bash_lib_output_diagnostic_message: 
gpg_bash_lib_internal_gpg_verify_status_fd_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox '/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.kbx' created
gpg: /var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Fri 17 Dec 2021 02:18:25 PM UTC
gpg: using RSA key 3D1B08D7D5F58676B838DC925601A3DC64D6E363
gpg: Can't check signature: No public key
gpg_bash_lib_output_gpg_verify_status_fd_output:

Yeah, this is weird. I am having the same problem with whonix-ws-16 using the “Tor Browser Downloader” / update-torbrowser when trying to update the browser to 11.0.3.

It is strange because it clearly downloads a public key and imports it, and yet it says that it can’t find a public key.

The update from within the browser is working fine though, but it happens in the dvm, so I have to do it every time I fire it up.

UPDATE: As I was posting this, there was a new update available of the tb-updater. The update to the latest version (3:21.8-1) fixes this error.

It has been fixed, simply update your whonix-ws template again and it should be ready to go.

The bug was due to this (still unfixed) upstream issue: sha256sums-unsigned-build.incrementals.txt and sha256sums-unsigned-build.txt are not signed with torbrowser key (#40759) · Issues · The Tor Project / Applications / Tor Browser · GitLab

And it was fixed with this commit: switch to "direct" digital signature verification · Whonix/tb-updater@f79cb40 · GitHub

1 Like

I had the same issue, but with some more concerning factors. It is being discussed on Whonix’s forum. Can you please read there and discuss if you experienced anything similar or if you have any suggestions? Thanks

1 Like

Me being paranoid :slight_smile:
This has been resolved

1 Like