[SRU] Tor does not download and install; repeated signature verification failed

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Please execute the following command only once, as it will automatically gather debugging information, in a terminal:

apport-collect 1856895

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

apport information

apport information

apport information

apport information

@Chris,

I needed to run apport-collect twice. The first time I did not use sudo and there were several permission denied errors. Sorry about the two reports.

On the upside, I was able to duplicate in an Ubuntu 18 VirtualBox VM.

I also noticed Ubuntu Software Center -> Search for Tor, shows a lot of "one star" reviews. It looks like a lot of people are having problems with the way Tor is working on Ubuntu.

Your screenshots don't look like anything the tor package ships.

It looks like torbrowser-launcher, which is at best related but is not the Tor package.

Same issue on latest torbrowser-launcher on Ubuntu 20.04. The "tor-browser-developers.asc" key has changed (again). Here is a workaround from upstream ticket: https://github.com/micahflee/torbrowser-launcher/issues/485#issuecomment-683723668

However, this needs to be properly fixed in upstream and in the Debian/Ubuntu package.

Status changed to 'Confirmed' because the bug affects multiple users.

I have also reported this to the Debian package maintainer (<email address hidden>).

The Debian package was updated: https://packages.debian.org/sid/torbrowser-launcher

It will hopefully be soon in groovy. I hope that it will also be backported into focal.

Ubuntu MOTU Developers seem to be the Ubuntu package maintainer. Subscribing.

I am not sure whether the focal update does require a SRU. Feel free to let me know if there is anything I could help with.

I have prepared a SRU for Ubuntu 20.04: https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1896085

Patch from Debian that fixes the issue:
https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/72b87f502af0666954d9ae9f51b794d546e1ab6c (+ needs to be added into debian/patches/series)

It is already fixed in Groovy.

Hello Jeffrey, or anyone else affected,

Accepted torbrowser-launcher into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.3.2-9ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have tested the provided torbrowser-launcher 0.3.2-9ubuntu1 build from focal-proposed on fully-updated Ubuntu 20.04 system. I am no longer able to reproduce the issue and torbrowser-launcher now works properly.

Things still do not work on Ubuntu 18.04 x86_64 (fully patched). I still get the prompt to download something, which results in a verification failure.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

I'm not sure what is broken with the devs and their public keys, but that is the problem that needs to be fixed.

I have not been able to use Tor on Ubuntu for about a year. Instead of making things more secure, you've made them less secure.

This is not yet fixed in Bionic - as such, patience is required Jeffrey. The status of Bionic is the one you need to watch on this bug. Fixes must land in Focal first.

This bug was fixed in the package torbrowser-launcher - 0.3.2-9ubuntu1

---------------
torbrowser-launcher (0.3.2-9ubuntu1) focal; urgency=medium

  * This is a bug-fix only upload to address several significant bugs
    found in the Tor Browser launcher package.
  * Patches backported from Debian Unstable release and Debian Salsa git
    repository for the package into the Focal package to fix issues.
    The following patches were added in d/patches and added to the quilt
    series file in the stated order:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream developers key. (LP: #1856895)
    - 0030-Use-gpg-instead-of-gpg2.patch: Use /usr/bin/gpg instead of the
      /usr/bin/gpg2 symlink due to gnupg2 transitional package not being
      part of default installations. (LP: #1897306)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)
    - 0032-apparmor-allow-Browser-to-memory-map-libstdc.patch: Allow
      apparmor profile to access and memory map libstdc, due to AppArmor
      default DENY on access causing issues. (LP: #1897302)

 -- Thomas Ward <email address hidden> Sun, 27 Sep 2020 14:34:53 -0400

The verification of the Stable Release Update for torbrowser-launcher has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Bionic test build for SRU located here: https://launchpad.net/~teward/+archive/ubuntu/torbrowser-launcher-sru

Hello Jeffrey, or anyone else affected,

Accepted torbrowser-launcher into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.2.9-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I've tested torbrowser-launcher 0.2.9-2ubuntu1 from bionic-proposed with Ubuntu 18.04 and Linux Mint 19.3 and can confirm that everything is running perfect again. torbrowser-launcher 0.2.9-2ubuntu1 has been able to update Torbrowser to Version 10.0.1. on both machines. All these error messages are gone. :-)

Thanks for fixing this!

One question: Can I just comment out the proposed entry from sources.list and continue using this fixed version of torbrowser-launcher? Will it get updates in the future?

Yes, if you disable the -proposed entry in your sources.list file you'll have the same version of the package which will then end up in the -updates pocket. Then if there is another SRU of the package, or a security update, than that will be installed as they'll end up in pockets which you have enabled.

This bug was fixed in the package torbrowser-launcher - 0.2.9-2ubuntu1

---------------
torbrowser-launcher (0.2.9-2ubuntu1) bionic; urgency=medium

  * This is a stable release update to address issues with Tor Browser
    install verification.
  * Patches added to d/patches:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream develoeprs key. (LP: #1856895)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)

 -- Thomas Ward <email address hidden> Mon, 12 Oct 2020 09:45:44 -0400