Verify Tor Browser's signature - Getting started - Tor Browser — Tor
View for:
Windows
macOS
Linux
Each file on our
download page
is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.
For example,
tor-browser-windows-x86_64-portable-13.0.1.exe
is accompanied by
tor-browser-windows-x86_64-portable-13.0.1.exe.asc
. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
Installing GnuPG
First of all you need to have GnuPG installed before you can verify signatures. If you run Windows,
download Gpg4win
and run its installer. In order to verify the signature you will need to type a few commands in windows command-line,
cmd.exe
Fetching the Tor Developers key
The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
This should show you something like:
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key)
gpg: Total number processed: 1
gpg: imported: 1
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key)
NOTE: Your output may deviate somewhat from the above (eg. expiration dates), however you should see the key correctly imported.
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the
Workaround (using a public key)
section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
This command results in the key being saved to a file found at the path
./tor.keyring
, i.e. in the current directory. If
./tor.keyring
doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Verifying the signature
To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will need to replace the example file names with exact names of the files you have downloaded.
For Windows users (change x86_64 to i686 if you have the 32-bit package):
gpgv --keyring .\tor.keyring Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe.asc Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe
The result of the command should contain:
gpgv: Good signature from "Tor Browser Developers (signing key)
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
Refreshing the PGP key
Run the following command to refresh the Tor Browser Developers signing key in your local keyring from the keyserver. This will also fetch the new subkeys.
gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Workaround (using a public key)
If you encounter errors you cannot fix, feel free to
download and use this public key
instead. Alternatively, you may use the following command:
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
Tor Browser Developers key is also available on
keys.openpgp.org
and can be downloaded from
. You may also want to
learn more about GnuPG
Each file on our
download page
is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.
For example,
tor-browser-macos-14.5.6.dmg
is accompanied by
tor-browser-macos-14.5.6.dmg.asc
. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
Installing GnuPG
First of all you need to have GnuPG installed before you can verify signatures. If you are using macOS, you can
install GPGTools
In order to verify the signature you will need to type a few commands in the Terminal (under "Applications").
Fetching the Tor Developers key
The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
This should show you something like:
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key)
gpg: Total number processed: 1
gpg: imported: 1
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key)
NOTE: Your output may deviate somewhat from the above (eg. expiration dates), however you should see the key correctly imported.
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the
Workaround (using a public key)
section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
This command results in the key being saved to a file found at the path
./tor.keyring
, i.e. in the current directory. If
./tor.keyring
doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Verifying the signature
To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will need to replace the example file names with exact names of the files you have downloaded.
For macOS users:
gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-macos-13.0.1.dmg.asc ~/Downloads/tor-browser-macos-13.0.1.dmg
The result of the command should contain:
gpgv: Good signature from "Tor Browser Developers (signing key)
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
Workaround (using a public key)
If you encounter errors you cannot fix, feel free to
download and use this public key
instead. Alternatively, you may use the following command:
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
Tor Browser Developers key is also available on
keys.openpgp.org
and can be downloaded from
. The key can also be fetched by running the following command:
gpg --keyserver keys.openpgp.org --search-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
You may also want to
learn more about GnuPG
Each file on our
download page
is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.
For example,
tor-browser-linux-x86_64-14.5.6.tar.xz
is accompanied by
tor-browser-linux-x86_64-14.5.6.tar.xz.asc
. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
Installing GnuPG
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.
Fetching the Tor Developers key
The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
This should show you something like:
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key)
gpg: Total number processed: 1
gpg: imported: 1
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key)
NOTE: Your output may deviate somewhat from the above (eg. expiration dates), however you should see the key correctly imported.
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the
Workaround (using a public key)
section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
This command results in the key being saved to a file found at the path
./tor.keyring
, i.e. in the current directory. If
./tor.keyring
doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Verifying the signature
To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will need to replace the example file names with exact names of the files you have downloaded.
For GNU/Linux users (change x86_64 to i686 if you have the 32-bit package):
gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz.asc ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz
The result of the command should contain:
gpgv: Good signature from "Tor Browser Developers (signing key)
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
Refreshing the PGP key
Run the following command to refresh the Tor Browser Developers signing key in your local keyring from the keyserver. This will also fetch the new subkeys.
gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Workaround (using a public key)
If you encounter errors you cannot fix, feel free to
download and use this public key
instead. Alternatively, you may use the following command:
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
Tor Browser Developers key is also available on
keys.openpgp.org
and can be downloaded from
. The key can also be fetched by running the following command:
gpg --keyserver keys.openpgp.org --search-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
You may also want to
learn more about GnuPG
US