Tor browser launcher signature verification failed on initial download

Bug #1670506 reported by David Cary
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
torbrowser-launcher (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Confirmed
Undecided
Unassigned
Yakkety
Confirmed
Undecided
Unassigned

Bug Description

After doing a fresh install of Ubuntu Desktop 16.04.2, I used Ubuntu Software Center to install Tor Browser (Tor Browser Launcher). I then click on the Tor icon to start the initial download of the Tor Browser Bundle. The download completes, but the subsequent signature verification fails with a message "SIGNATURE VERIFICATION FAILED". The message also suggests that I might be under attack (very unlikely) or that there might be a networking problem. I am using a stable network, have not had network problems with other applications, and repeating the download, even after redoing the Ubuntu installation, does not change any behavior.

Additional information, which I can copy here if it is helpful, is listed at:
    https://answers.launchpad.net/ubuntu/+question/526440

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: torbrowser-launcher 0.2.4-1
ProcVersionSignature: Ubuntu 4.8.0-39.42~16.04.1-generic 4.8.17
Uname: Linux 4.8.0-39-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Mar 6 14:25:26 2017
ExecutablePath: /usr/bin/torbrowser-launcher
InstallationDate: Installed on 2017-03-04 (2 days ago)
InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 (20170215.2)
InterpreterPath: /usr/bin/python2.7
ProcEnviron:
 PATH=(custom, user)
 SHELL=/bin/bash
 LANG=en_US.UTF-8
 LANGUAGE=en_US
 XDG_RUNTIME_DIR=<set>
SourcePackage: torbrowser-launcher
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
David Cary (dcary) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :

This bug was fixed in the package torbrowser-launcher - 0.2.6-3.1

---------------
torbrowser-launcher (0.2.6-3.1) unstable; urgency=medium

  * Non-maintainer upload.
  * debian/patches/update-tor-signing-key.patch:
   - Updates the signing key to include the new subkey. (Closes: #852732)

 -- Iain R. Learmonth <email address hidden> Tue, 07 Mar 2017 23:18:36 +0000

Changed in torbrowser-launcher (Ubuntu):
status: New → Fix Released
Revision history for this message
David Cary (dcary) wrote :

Thanks. I hope that fix gets backported to 16.04 LTS. Until then, I have documented the work-around that worked for me in the Ubuntu Answers mentioned above:
    https://answers.launchpad.net/ubuntu/+question/526440

I'll also suggest an upstream change that would prevent this kind of problem (a new signing key being introduced by the Tor Project after the Ubuntu package is released) from happening again: have the torbrowser-launcher download any updates to its signing keys before it attempts the signature verification.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in torbrowser-launcher (Ubuntu Xenial):
status: New → Confirmed
Changed in torbrowser-launcher (Ubuntu Yakkety):
status: New → Confirmed
Revision history for this message
Master (umely) wrote :

torbrowser-launcher (0.2.6-3.1) solved for me

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.