I run the Tor Browser downloader. It says 13.0.5 will be updated to 13.0.6 and I confirm. However, after the download completes, a dialog box tells me:
So, I say NO and I try later (many times), yet that keeps happening. My clock is fine.
I also tried updating (in a DispVM) from inside the browser itself and it worked without any messages. I am hesitant about how to proceed with that dialog though.
Is anyone else experiencing this? What is the proper and safe action?
This post was moved to consolidate similar topics.
I know this probably isn’t Qubes related, but have spent most of my free time today searching elsewhere, and found nothing that matches what I have here.
I did a reinstall overnight, and after Qubes install updated all templates. Whonix-ws needed a Tor Browser update. During that update it mentioned that the signature probably hadn’t been checked before or whatever. I did my best to verify the signature, and proceeded with the update after it all looked legit. That update was for 13.0.5. This afternoon I got notification there was a new version available. Started the update, and it showed the new version to be 13.0.6. Got the warning “You are likely target of a downgrade attack”
Primary and Subkey fingerprints match the prior update, but the date for the signature does not. It shows to be 454 days prior to the previous signature date from this morning’s update.
My clock is not fast. I don’t know how to rule out the other possibilities listed as: there is really no newer signature yet, this is a (should be an) update-torbrowser bug, or this is an attack.
I’m probably wrong here, but my thought is that it might be due to the prior update being the first and only signature usage to compare it to.