Digital signature is a process ensuring that a certain package was generated by its developers and has not been tampered with. Below we explain why it is important and how to verify that the Tor program you download is the one we have created and has not been modified by some attacker.

Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are GPG signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. For example, torbrowser-install-8.0.8_en-US.exe is accompanied by torbrowser-install-8.0.8_en-US.exe.asc. For a list of which developer signs which package, see our signing keys page.

We now show how you can verify the downloaded file's digital signature on different operating systems. Please notice that a signature is dated the moment the package has been signed. Therefore every time a new file is uploaded a new signature is generated with a different date. As long as you have verified the signature you should not worry that the reported date may vary.

Windows

First of all you need to have GnuPG installed before you can verify signatures. Download it from https://gpg4win.org/download.html.

Once it's installed, use GnuPG to import the key that signed your package. In order to verify the signature you will need to type a few commands in windows command-line, cmd.exe.

The Tor Browser team signs Tor Browser releases. Import its key (0x4E2C6E8793298290) by starting cmd.exe and typing:

gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

After importing the key, you can verify that the fingerprint is correct:

gpg.exe --fingerprint 0x4E2C6E8793298290

You should see:

pub   rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                   [ unknown] Tor Browser Developers (signing key) <torbrowser&at;torproject.org>
sub   rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
      Key fingerprint = 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:

gpg.exe --verify C:\\Users\\Alice\\Desktop\\torbrowser-install-win64-8.0.8_en-US.exe.asc C:\\Users\\Alice\\Desktop\\torbrowser-install-8.0.8_en-US.exe

Please substitute "Alice" with your own username.

The output should say "Good signature":

gpg: Signature made Tue 12 Feb 2019 08:27:41 AM EST
gpg:                using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

Currently valid subkey fingerprints are:

1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

Mac OS X and Linux

You need to have GnuPG installed before you can verify signatures. If you are using Mac OS X, you can install it from https://www.gpgtools.org/. If you are using Linux, then you probably already have GnuPG in your system, as most Linux distributions come with it preinstalled.

The next step is to use GnuPG to import the key that signed your package. The Tor Browser team signs Tor Browser releases. Import its key (0x4E2C6E8793298290) by starting the terminal (under "Applications" in Mac OS X) and typing:

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

After importing the key, you can verify that the fingerprint is correct:

gpg --fingerprint 0x4E2C6E8793298290

You should see:

pub   rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                   [ unknown] Tor Browser Developers (signing key) <torbrowser&at;torproject.org>
sub   rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
      Key fingerprint = 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Downloads folder, run:

For Mac OS X users:

gpg --verify ~/Downloads/TorBrowser-8.0.8-osx64_en-US.dmg{.asc,}

For Linux users (change 64 to 32 if you have the 32-bit package):

gpg --verify tor-browser-linux64-8.0.8_en-US.tar.xz{.asc,}

The output should say "Good signature":

gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg:                using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser&at;torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136

Currently valid subkey fingerprints are:

1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

See https://www.gnupg.org/documentation/ to learn more about GnuPG.