How to verify tor source code
A digital signature is a process that ensures the tor source code you download was created by Tor developers and has not been tampered with. Below we explain why it is important and how to verify that the Tor you download is the one we created and has not been modified by an attacker.
Attention: These instructions are to verify the tor source code. Please follow the right instructions to verify Tor Browser's signature.
Downloading the signature files
The Tor source files on our download page are accompanied by two files which are labelled "checksum" and "sig" with the same name as the package and the extension ".sha256sum" and ".sha256sum.asc" respectively.
The .asc file will verify that the .sha256sum file (containing the checksum of the package) has not been tampered with. Once the signature has been validated (see below on how to do it), the package integrity can be validated with:
$ sha256sum -c *.sha256sum
These files allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "sig" and "checksum" link and selecting the "save file as" option.
For example, tor-0.4.6.7.tar.gz is accompanied by tor-0.4.6.7.tar.gz.sha256sum.asc. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
GnuPG telepítése
First of all you need to have GnuPG installed before you can verify signatures. If you run Windows, download Gpg4win and run its installer.
In order to verify the signature you will need to type a few commands in windows command-line, cmd.exe.
Fetching the Tor Developers key
The following keys can sign the tarball. Don't expect them all, it can vary depending on who is available to make the release.
- Alexander Færøy: 514102454D0A87DB0767A1EBBE6A0531C18A9179
- David Goulet: B74417EDDF22AC9F9E90F49142E86A2A11F48D36
- Nick Mathewson: 2133BC600AB133E1D826D173FE43009C4607B1FB
You can fetch the key with the links provided above or with:
$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org
This should show you something like (for nickm):
gpg: key FE43009C4607B1FB: public key "Nick Mathewson nickm@torproject.org" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2016-09-21 [C] [expires: 2025-10-04] 2133BC600AB133E1D826D173FE43009C4607B1FB uid [ unknown] Nick Mathewson nickm@torproject.org sub rsa4096 2016-09-23 [S] [expires: 2025-10-04] sub rsa4096 2016-09-23 [E] [expires: 2025-10-04]
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB
This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Aláírás ellenőrzése
To verify the signature of the package you downloaded, you will need to download the corresponding .sha256sum.asc signature file and the .sha256sum file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.
gpgv --keyring .\tor.keyring Downloads\tor-0.4.6.10.tar.gz.sha256sum.asc Downloads\tor-0.4.6.10.tar.gz.sha256sum
The result of the command should produce something like this (depending on which key signed it):
gpgv: Signature made Mon 16 Aug 2021 04:44:27 PM -03 gpgv: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpgv: Good signature from "Nick Mathewson nickm@torproject.org"
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
You may also want to learn more about GnuPG.
Verifying checksum
Now that we validated the signatures of the checksum, we need to verify the integrity of the package.
certUtil -hashfile tor-0.4.6.10.tar.gz.sha256sum SHA256
Attention: These instructions are to verify the tor source code. Please follow the right instructions to verify Tor Browser's signature.
Downloading the signature files
The Tor source files on our download page are accompanied by two files which are labelled "checksum" and "sig" with the same name as the package and the extension ".sha256sum" and ".sha256sum.asc" respectively.
The .asc file will verify that the .sha256sum file (containing the checksum of the package) has not been tampered with. Once the signature has been validated (see below on how to do it), the package integrity can be validated with:
$ sha256sum -c *.sha256sum
These files allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "sig" and "checksum" link and selecting the "save file as" option.
For example, tor-0.4.6.7.tar.gz is accompanied by tor-0.4.6.7.tar.gz.sha256sum.asc. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
GnuPG telepítése
If you are using macOS, you can install GPGTools.
Fetching the Tor Developers key
The following keys can sign the tarball. Don't expect them all, it can vary depending on who is available to make the release.
- Alexander Færøy: 514102454D0A87DB0767A1EBBE6A0531C18A9179
- David Goulet: B74417EDDF22AC9F9E90F49142E86A2A11F48D36
- Nick Mathewson: 2133BC600AB133E1D826D173FE43009C4607B1FB
You can fetch the key with the links provided above or with:
$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org
This should show you something like (for nickm):
gpg: key FE43009C4607B1FB: public key "Nick Mathewson nickm@torproject.org" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2016-09-21 [C] [expires: 2025-10-04] 2133BC600AB133E1D826D173FE43009C4607B1FB uid [ unknown] Nick Mathewson nickm@torproject.org sub rsa4096 2016-09-23 [S] [expires: 2025-10-04] sub rsa4096 2016-09-23 [E] [expires: 2025-10-04]
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB
This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Aláírás ellenőrzése
To verify the signature of the package you downloaded, you will need to download the corresponding .sha256sum.asc signature file and the .sha256sum file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.
MacOS felhasználók:
gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
You may also want to learn more about GnuPG.
Verifying checksum
Now that we validated the signatures of the checksum, we need to verify the integrity of the package.
shasum -a 256 tor-0.4.6.10.tar.gz.sha256sum
Attention: These instructions are to verify the tor source code. Please follow the right instructions to verify Tor Browser's signature.
Downloading the signature files
The Tor source files on our download page are accompanied by two files which are labelled "checksum" and "sig" with the same name as the package and the extension ".sha256sum" and ".sha256sum.asc" respectively.
The .asc file will verify that the .sha256sum file (containing the checksum of the package) has not been tampered with. Once the signature has been validated (see below on how to do it), the package integrity can be validated with:
$ sha256sum -c *.sha256sum
These files allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "sig" and "checksum" link and selecting the "save file as" option.
For example, tor-0.4.6.7.tar.gz is accompanied by tor-0.4.6.7.tar.gz.sha256sum.asc. These are example file names and will not exactly match the file names that you download.
Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.
GnuPG telepítése
First of all you need to have GnuPG installed before you can verify signatures.
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.
Fetching the Tor Developers key
The following keys can sign the tarball. Don't expect them all, it can vary depending on who is available to make the release.
- Alexander Færøy: 514102454D0A87DB0767A1EBBE6A0531C18A9179
- David Goulet: B74417EDDF22AC9F9E90F49142E86A2A11F48D36
- Nick Mathewson: 2133BC600AB133E1D826D173FE43009C4607B1FB
You can fetch the key with the links provided above or with:
$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org $ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org
This should show you something like (for nickm):
gpg: key FE43009C4607B1FB: public key "Nick Mathewson nickm@torproject.org" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2016-09-21 [C] [expires: 2025-10-04] 2133BC600AB133E1D826D173FE43009C4607B1FB uid [ unknown] Nick Mathewson nickm@torproject.org sub rsa4096 2016-09-23 [S] [expires: 2025-10-04] sub rsa4096 2016-09-23 [E] [expires: 2025-10-04]
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB
This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Aláírás ellenőrzése
To verify the signature of the package you downloaded, you will need to download the corresponding .sha256sum.asc signature file and the .sha256sum file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder. Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.
gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum
The result of the command should produce something like this (depending on which key signed it):
gpgv: Signature made Mon 16 Aug 2021 04:44:27 PM -03 gpgv: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpgv: Good signature from "Nick Mathewson nickm@torproject.org"
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
You may also want to learn more about GnuPG.
Verifying checksum
Now that we validated the signatures of the checksum, we need to verify the integrity of the package.
sha256sum -c tor-0.4.6.10.tar.gz.sha256sum