best way to reinstall Tor Browser in Trisquel/ update security checks
Hi there, Can anyone advise me on the best way to completely uninstall (purge) Tor Browser and reinstall it afresh on Trisquel? I use Tor Browser on a regular basis as my main web browser but it has updated itself, apparently without my (conscious) confirmation which I do not like since I generally choose to avoid updates without a confirmation dialogue. In fact this occurred immediately after a visited a certain website whereupon my computer crashed and rebooted which makes me question if this was a clever hack. Hopefully I am just being overly suspicious and I just had too many processes running but I'm nervous. Therefore I would prefer to purge it and reinstall it afresh before using it again. I'm not very experienced with Trisquel software installation as I'm usually only using the basics for my day to day work. I thought this would be reasonably straightforward but the following has not worked for me apparently due to inability to locate the package.
$ sudo apt-get remove --purge tor-browser
[sudo] password for user:
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package tor-browser
Does anyone have tips to get this reinstallation done? Have I just got the package name wrong?
Can anyone remind me of best practice regarding making sure that software updates are coming from the correct repository (at least a reasonable set of steps/checks for a non expert)?
Many thanks for any suggestions.
Trisquel's repository does not have a package named "tor-browser", as the error says. It has "torbrowser-launcher". You may have installed it (or not). The main point of torbrowser-launcher is to have automatic updates of the Tor browser: https://wiki.debian.org/TorBrowser
> The main point of torbrowser-launcher is to have automatic updates of the Tor browser: https://wiki.debian.org/TorBrowser
Tor Browser is self-updating. What torbrowser-launcher does is automate the process of downloading Tor Browser, verifying the signature, and making it appear in $PATH and menus.
However, Trisquel's torbrowser-launcher does not work. I proposed a fix to quidam, but he does not approve of the package itself because it is a downloader and launcher rather than a proper package (the reason it is in Debian contrib, despite not depending on any non-free software). I asked if we could at least remove the package if we aren't going to fix it, but did not get a response and gave up pressing the issue.
> Trisquel's torbrowser-launcher does not work.
Is that a recent problem? I am using Tor Browser on T9 but not sure how I installed it. I thought I used torbrowser-launcher.
EDIT: it happens I also have a problem with updates, I am getting this message: "The version of Tor Browser you have installed is earlier than it should be, which could be a sign of an attack!"
The current best practice seems to be to download and run the portable version from the Tor Project website [1].
Updating is done through downloading a more recent version.
Thanks for your replies! I'm not sure we can describe Trisquel as "Linux" but I noticed on the Tor project website a page which recommends simply deleting a directory in order to uninstall:
https://tb-manual.torproject.org/uninstalling/
"On Linux:
Locate your Tor Browser folder. On Linux, there is no default location, however the folder will be named "tor-browser_en-US" if you are running the English Tor Browser.
Delete the Tor Browser folder.
Empty your Trash.
Note that your operating system’s standard "Uninstall" utility is not used."
This begs the question - why is Tor Browser treated differently than other packages?
Ok, before deleting this version and reinstalling afresh I wanted to check its signature. I tried following instructions for "Linux" at the Tor Project website:
https://support.torproject.org/tbb/how-to-verify-signature/
"gpg --auto-key-locate nodefault,wkd --locate-keys name at domain"
but this prompted a small fail...
$ gpg --auto-key-locate nodefault,wkd --locate-keys name at domain
gpg: invalid auto-key-locate list
gpg: Invalid option "--locate-keys"
Can anyone advise how I can check Tor Browser signature within Trisquel? Many thanks again for any help!
You need to scroll further down the page you linked to, there is a workaround section that might be helpful.
Thanks for pointing that out. I have now scrolled down (on https://support.torproject.org/tbb/how-to-verify-signature/ ) and I find the following which I'm assuming(!) and hoping is the same as what you/others are seeing, including the signature's fingerprint string:
"
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
"
I also did a little reading around GnuPG including wikipedia articles and man pages in the hope that I do not do something dunderhead. However, this may not have been sufficient because the above command did not result in a ./tor.keyring file existing as far as I can see.
Instead I got the following response:
"
$ gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: WARNING: nothing exported
"
The newly created secring.gpg appears to be an empty file.
I'll wait a while in case someone can make further suggestions but in order to use Tor again I might delete my existing tor directory and resinstall at some stage in the not-too-distant future. This would mean that I would never know if my existing directory contains files with a correct signature. Many thanks in case of further suggestions.
Okay - excuse me, I think I missed out the actual workaround in the belief that the next command was in fact the workaround. I see at the bottom of that webpage the workaround is defined as follows:
"
Workaround (using a public key)
If you encounter errors you cannot fix, feel free to download and use this public key instead. Alternatively, you may use the following command:
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
"
I will now consider doing this...
Well, I have done this now which worked in the sense that I was subsequently able to create a non-zero tor.keyring file.
Unfortunately I was unable to use it because I cannot find anywhere a *en_US.tar.xz.asc file to match my *en_US.tar.xz
Grrr. Okay, I'm soon going to delete the tor directory and the tor.keyring file and reinstall from scratch...
Is it suspicious that there is no asc file? I assume i would have downloaded it if given the option but in all honesty I cannot remember as it was a while ago...
If you installed through torbrowser-launcher in Trisquel repository you did not need any extra file.
The signature file is necessary for the portable install only.
> Unfortunately I was unable to use it because I cannot find anywhere a *en_US.tar.xz.asc file to match my *en_US.tar.xz
You need to download and use the .asc signature file which is provided on the download page, immediately below the download link for the package itself.
Thanks again lutes. Strangely the tor project webpage ( https://support.torproject.org/tbb/how-to-verify-signature/ ) states:
"
Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc".
"
where the download page is indicated as:
https://www.torproject.org/download/
But if I go to that page there is no .asc file download available as far as I can see. When I download the tor-browser-linux64-10.0_en-US.tar.xz file there is no .asc file accompanying it or within its subdirectories and I guess it doesn't make sense that the signature file would be within the downloaded file.
I tried the tor "community pages" hoping for a forum like this one but I couldn't find one.
1) Can anyone advise where to find the appropriate .asc file to accompany an official tor download?
2) Do other users agree with me that there is no .asc download option available on the download page of the torproject despite their instruction suggesting otherwise?
CORRECTION: if you hover over the text marked "Signature" underneath the Linux download button on the webpage https://www.torproject.org/download/ then there is the option to save link as *.asc file.
My problem was that immediately next to that is a "?" question mark which i thought was all part of one single link "Signature ?" whereas in fact there are two links "Signature" and "?". Clicking the "?" link just takes you back to the https://support.torproject.org/tbb/how-to-verify-signature/ page which seemed to be a bit circular.
Doh! Anyway, maybe this discussion will solve this mode of confusion for a few other dunderheads like me...
Apparent success:
$ gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux64-10.0_en-US.tar.xz.asc ~/Downloads/tor-browser-linux64-10.0_en-US.tar.xz
gpgv: Signature made Tue 22 Sep 2020 08:14:53 BST using RSA key ID D9FF06E2
gpgv: Good signature from "Tor Browser Developers (signing key) <name at domain>"
Hi guys!
I have do the same problem whit the signature checking, when have tryed to download Tor from Trisquel repo, many mouth ago. I have solved using Tor web site, but same ones of us know why this problem persist?? Need only update the new keys, I believe...
For an (I)Gnu-rant users like me, was a be a great gift for the next time!!! :-)