Package Details: tor-browser-bin 14.0.3-1

Git Clone URL: https://aur.archlinux.org/tor-browser-bin.git (read-only, click to copy)
Package Base: tor-browser-bin
Description: Tor Browser Bundle: anonymous browsing using Firefox and Tor
Upstream URL: https://www.torproject.org/projects/torbrowser.html
Licenses: MPL-2.0
Conflicts: tor-browser
Provides: tor-browser
Submitter: FabioLolix
Maintainer: grufo (jugs)
Last Packager: jugs
Votes: 1280
Popularity: 1.03
First Submitted: 2023-09-24 17:45 (UTC)
Last Updated: 2024-12-06 14:48 (UTC)

Pinned Comments

grufo commented on 2019-08-15 02:22 (UTC)

Before running makepkg, you must do this (as normal user):

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

Latest Comments

« First ‹ Previous 1 .. 35 36 37 38 39 40 41 42 43 44 45 .. 77 Next › Last »

kyak commented on 2017-01-25 18:14 (UTC)

Weird. First time running: gpg --keyserver pool.sks-keyservers.net --recv-keys D1483FA6C3C07136 Returns: gpg: keyserver receive failed: No such file or directory Second time running: gpg --keyserver pool.sks-keyservers.net --recv-keys D1483FA6C3C07136 Returns: gpg: keyserver receive failed: No keyserver available This is consistent. After killing dirmngr, i get "No such file or directory". All other times, i get "No keyserver available". I tried various other keyservers with the same results.

yar commented on 2017-01-25 17:25 (UTC)

@slav what error messages did you get?

z3ntu commented on 2017-01-25 11:43 (UTC)

@Maintainer: The package kdebase-kdialog was renamed to just kdialog recently.

slav commented on 2017-01-25 10:15 (UTC)

Unfortunately gpg --keyserver pool.sks-keyservers.net --recv-keys D1483FA6C3C07136 didn't resolved issue however insecure command: makepkg --skippgpcheck let me make packages and manually install them

yar commented on 2017-01-25 09:14 (UTC) (edited on 2018-09-06 16:52 (UTC) by yar)

Before running makepkg, you must do this:

gpg --keyserver pool.sks-keyservers.net --recv-keys EB774491D9FF06E2

See below for details.

yar commented on 2017-01-25 09:12 (UTC)

A headache indeed. First of all, let's review all the relevant keys:

1) 8738A680B84B3031A630F2DB:416F0610:63FEE659 Erinn Clark's personal key - 4.0.3 [2015-01-14] and earlier were signed by this 2) EF6E286DDA85EA2A4BA7DE68:4E2C6E87:93298290 A master key created on 2014-12-15 for the purpose of signing other Tor Browser Developer keys 3) BA1EE421BBB45263180E1FC7:2E1AC68E:D40814E0 signed by #2, 4.0.4 [2015-02-25] through 6.0.8 [2016-12-13] were signed by this 4) A4300A6BC93C0877A4451486:D1483FA6:C3C07136 signed by #2, 6.5 [2017-01-24, today] is signed by this

Second of all, look at the makepkg source code: https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/verify_signature.sh.in#n64

  • If the signer of the .asc file is not known by your build user's gpg keyring, your error message will be: "unknown public key"
  • If validgpgkeys doesn't exist and the key isn't TRUSTED by your build user's gpg keyring, your error message will be: "the public key %s is not trusted"
  • If validgpgkeys exists and the MASTER KEY isn't listed there, your error message will be: "invalid public key"
  • Again, it checks against the MASTER KEY. Listing the subkey does nothing. See line 239: "If the file was signed with a subkey, arg10 contains the fingerprint of the primary key"

Note that makepkg has no code for retrieving signatures. It relies on you to --recv-key on your own. The validgpgkeys code doesn't even execute until makepkg has queried your build user's gpg keyring. So no matter what you need to --recv-key, which only downloads the key and does not imply that you fully trust it (for that you would run --edit-key). Validgpgkeys is used in lieue of fully trusting the key, but you still need to download it yourself. If you don't want to interact with GPG on your own, then run makepkg --skippgpcheck. There is no other way.

tl;dr you have to run this: gpg --keyserver pool.sks-keyservers.net --recv-keys D1483FA6C3C07136

thinhakapete commented on 2017-01-24 09:37 (UTC)

@Alpha I got this too. Such a headache!!

now-im commented on 2017-01-19 17:13 (UTC)

Such a headache! gpg --keyserver pool.sks-keyservers.net --recv-keys 2E1AC68ED40814E0 simply doesn't work. please update package build. All this people having trouble and the available key in comment feedback this message, gpg: keyserver receive failed: No keyserver available

beroal commented on 2017-01-19 12:32 (UTC)

@fightcookie: The Arch wiki recommends embedding key *fingerprints*. "validpgpkeys" exists in PKGBUILD of this package. So I don't understand what you don't like about this package.

xuiqzy commented on 2017-01-19 11:31 (UTC)

If one adds the keys needed to verify this package (the ones you said we should add manually) to the keyring, these are used for all packages, rather than only for this package, if they are in the validpgpkeys array in the PKGBUILD. The Arch wiki recommends embedding the pgp keys in the PKGBUILD, too ( https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys )