Signature check is not working

Hi everybody,

new to this forum. I tried to check the signature for TorBrowser-12.0.2-macos_ALL.dmg

gpg --list-signatures torbrowser@torproject.org
pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sig 3        4E2C6E8793298290 2020-07-22  Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub   rsa4096 2021-09-17 [S] [expires: 2023-09-17]
sig          4E2C6E8793298290 2021-09-17  Tor Browser Developers (signing key) <torbrowser@torproject.org>

I exported the key with to my ~ /Downloads where also are residing TorBrowser-12.0.2-macos_ALL.dmgand TorBrowser-12.0.2-macos_ALL.dmg.asc:

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

But I get a “bad signature” with:

gpgv --keyring ./tor.keyring ./TorBrowser-12.0.2-macos_ALL.dmg.asc ./TorBrowser-12.0.2-macos_ALL.dmg
gpgv: Signature made Thu 19 Jan 14:44:41 2023 CET
gpgv:                using RSA key E53D989A9E2D47BF
gpgv: BAD signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"

I am not very familiar with gnupg. Did I made something wrong?

Best greetings to all

marek

Works for me.

Try to redownload the files.

And maybe compute the hashes of the files first. For me it’s

$ sha256sum TorBrowser-12.0.2-macos_ALL.dmg
c6968a7041890de6ac344e9163ce0a1c0fb82394a2da9d4e7f77e0bce7a1c952  TorBrowser-12.0.2-macos_ALL.dmg
$ sha256sum TorBrowser-12.0.2-macos_ALL.dmg.asc
de14cf6c4dfa575a7c377a0a52236a188422dc724a25254d0023e2535f1eafd5  TorBrowser-12.0.2-macos_ALL.dmg.asc

Also you can try adding the -vvv arguments to the gpgv command for more verbose output.

Problem was, that I tried to download the dmg over the Tor Net. It is always failing. I get now the same shasum and Signature is ok. Probably you should never download huge files over Tor Network. Is this considered misuse?

In any case Thx WofWca