File signature could not be verified 11.0.6_en-US.exe [32-bit]

Tig7 · February 15, 2022, 3:44pm

Hi,

torbrowser-install-11.0.6_en-US.exe [32-bit] - Out of date sig.

Download;
-http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/dist/torbrowser/11.0.6/torbrowser-install-11.0.6_en-US.exe

Virustotal;
-VirusTotal

Screen grab of cert hosted @ share.riseup.net
http://aco6injncogk3siaubyh5sterx7w5pocqdrm7mna7u4wuukscgnqpeid.onion/#SaPbdSEXVHxGLcgMMHbmDg

championquizzer · February 15, 2022, 4:02pm

@Tig7, can you verify the signature as described in: How can I verify Tor Browser’s signature?

This can very well be a false positive by the anti-virus/anti-malware software. (ref. https://support.torproject.org/tbb/antivirus-false-positive/)

Tig7 · February 15, 2022, 4:36pm

Thanks for the reply @ championquizzer ,

I can’t verify the signature as described in your link, atm.
The SHA-256 for the .exe matches up though @https://dist.torproject.org/torbrowser/11.0.6/sha256sums-signed-build.txt

The problem is the out of date certificate (see screen grab link above).

Not running any anti-virus/anti-malware software, btw.

Thanks for your help.

championquizzer · February 16, 2022, 9:13am

Where are you seeing this certificate? Thanks!

atari · February 16, 2022, 9:29am

Have a look here in the x509 Certificates section:

Name           The Tor Project, Inc.
Issuer         DigiCert EV Code Signing CA (SHA2)
Valid From     2017-04-04 00:00:00
Valid To       2020-06-04 12:00:00
Algorithm      sha256RSA
Thumbprint     29643B7AC0003D8A882F8A4A6E064110D96B980B
Serial Number  0F 62 2E F3 1D 0F 1E F9 4E 52 0D BD 7A 43 E5 8C

championquizzer · February 16, 2022, 9:48am

I see. Thanks, @atari .

I am afraid, I am not familiar with this, but will bring this to the attention of the Applications Team.

Tig7 · February 18, 2022, 2:43pm

Thanks, @championquizzer and @atari .

@championquizzer
Any feedback from the Applications Team, as I’m unable to update to 11.0.6 until the expired certificate in the digital signature of the installer is addressed.

Thanks.

championquizzer · February 18, 2022, 7:06pm

@Tig7, thank you for reporting! The Applications team is aware of the issue and working to have this resolved (cc @boklm).

championquizzer · February 25, 2022, 2:35pm

The issue is being tracked on our bug tracker, here: Re-sign 11.0.6 and 11.5a4 windows builds (#40434) · Issues · The Tor Project / Applications / tor-browser-build · GitLab

boklm · March 1, 2022, 6:38pm

Hi! Sorry for the delay in fixing this. New .exe files signed with the new certificate have now been uploaded to Index of /torbrowser/11.0.6.

And the next release will be signed with the correct certificate too.

system · March 1, 2022, 8:38pm

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.