Release 0.4.5.12 and 0.4.6.10

News Tor Release Announcement
1

Where to Download

Changes

Below are the major changes of the released versions and links to more detailed release notes.

Stable

These version have mostly minor bugfixes. Both previous releases did not have the GeoIP and fallbackdir lists updated due to a release pipeline issue on our side. This is the primary reason for these new releases today.

Furthermore, these releases also make relays to stop advertise onion service v2 support in the protocol version. Onion service v2 was already disabled in previous releases and so this change shouldn’t make any difference except that they won’t advertise it on the network anymore.

Release Notes

2 Likes
3

For the tor-0.4.6.10.tar.gz file, the .asc file with the signature is missing. For 0.4.6.9 the file was present. It will be needed for source file verification at the automatic package build process.

4

I have encountered the same problem. Now I use the following commands to verify the tor tarball:

  TOR_VERSION=0.4.6.10 && \
  curl -SL -O https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz && \
  curl -SL -O https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz.sha256sum && \
  curl -SL -O https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz.sha256sum.asc && \
  gpg --keyserver keys.openpgp.org --recv-keys \
        0xEB5A896A28988BF5 \
        0xC218525819F78451 \
        0xFE43009C4607B1FB \
        0x6AFEE6D49E92B601 \
        B74417EDDF22AC9F9E90F49142E86A2A11F48D36 \
        514102454D0A87DB0767A1EBBE6A0531C18A9179 && \
  echo "$(cat tor-${TOR_VERSION}.tar.gz.sha256sum) tor-${TOR_VERSION}.tar.gz" | sha256sum --check && \
  gpg --verify tor-${TOR_VERSION}.tar.gz.sha256sum.asc

But I am not sure about the GPG keys. I saw B74417EDDF22AC9F9E90F49142E86A2A11F48D36 and 514102454D0A87DB0767A1EBBE6A0531C18A9179 for the first time today and I can’t find any information if these keys are authorized to sign the tarball.

5

Checksum files are now signed. They are multisig from network team people. We now build tor releases in a reproducible way and these signatures are created by our CI:

https://dist.torproject.org/tor-0.4.5.12.tar.gz.sha256sum.asc
https://dist.torproject.org/tor-0.4.6.10.tar.gz.sha256sum.asc

6

B74417EDDF22AC9F9E90F49142E86A2A11F48D36 is mine as in “David Goulet (dgoulet)” part of the network team.

And the other one is “Alexander Færøy (ahf)”, again part of the network team. We’ll be signing “tor.git” releases for the foreseeable future.

I’ll be adding that information in the README.md of “which key can sign the tarball”.

1 Like
8

Could you also update the downloads page and the verifying the source code page? The former still links to non-existing .asc file, and the latter doesn’t mention the new method nor the newly used keys.