Package Details: tor-browser-bin 14.0.2-1

Git Clone URL: https://aur.archlinux.org/tor-browser-bin.git (read-only, click to copy)
Package Base: tor-browser-bin
Description: Tor Browser Bundle: anonymous browsing using Firefox and Tor
Upstream URL: https://www.torproject.org/projects/torbrowser.html
Licenses: MPL-2.0
Conflicts: tor-browser
Provides: tor-browser
Submitter: FabioLolix
Maintainer: grufo (jugs)
Last Packager: grufo
Votes: 1282
Popularity: 1.99
First Submitted: 2023-09-24 17:45 (UTC)
Last Updated: 2024-11-17 05:13 (UTC)

Pinned Comments

grufo commented on 2019-08-15 02:22 (UTC)

Before running makepkg, you must do this (as normal user):

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

Latest Comments

1 2 3 4 5 6 .. 77 Next › Last »

rafaelff commented on 2024-10-02 10:08 (UTC)

When you get ==> ERROR : sha256sums does not allow empty values., there is a chance a new tor-browser version released.

Try accessing the tarball URL (example, for 13.5.5 it is https://dist.torproject.org/torbrowser/13.5.5/); if you get "Not Found" error, then please flag the package as out of date.

richard_mt commented on 2024-10-02 06:56 (UTC) (edited on 2024-10-02 07:07 (UTC) by richard_mt)

I hit this error:

$ makepkg -si
==> ERREUR : sha256sums does not allow empty values.
==> ERREUR : sha256sums does not allow empty values.

I think this is due to CARCH not being set properly on my system, but I don't know how to fix it

My bad, it was simply due to the download file 13.5.5 not being available anymore on the server.

kysh commented on 2024-10-01 21:18 (UTC) (edited on 2024-10-01 21:23 (UTC) by kysh)

makepkg -s fails with

==> ERROR: sha256sums does not allow empty values.
==> ERROR: sha256sums does not allow empty values.

while

tor-browser -u says

Everything is up to date (current version: 13.5.4).

The browser itself on the "About" menu says its

13.5.6 (based on Mozilla Firefox 115.16.0esr)

Guess the browser updated itself sans AUR

nisavid commented on 2024-09-26 17:16 (UTC)

TL;DR: If you're still encountering

    tor-browser-linux-x86_64-13.5.3.tar.xz ... FAILED (unknown public key 157432CF78A65729)

then run this before building the package:

$ gpg --auto-key-locate nodefault,wkd,keyserver --keyserver hkps://keys.openpgp.org --locate-keys torbrowser@torproject.org

The key-retrieval command suggested by @grufo was insufficient for me.

I retrieved the key from WKD:

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
      origin=ks last=2023-08-07 url=https://keys.openpgp.org:443
uid                 [marginal] Tor Browser Developers (signing key) <torbrowser@torproject.org>
                    kounek7zrdx745qydx6p59t9mqjpuhdf@torproject.org
                    origin=ks last=2023-08-07

But the package build still failed:

$ makepkg -i
⋮
==> Verifying source file signatures with gpg...
    tor-browser-linux-x86_64-13.5.4.tar.xz ... FAILED (unknown public key 157432CF78A65729)
==> ERROR: One or more PGP signatures could not be verified!

Notice that the missing key was indeed not retrieved:

$ gpg --list-keys torbrowser@torproject.org                         
pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
      origin=ks last=2023-08-07 url=https://keys.openpgp.org:443
uid                 [marginal] Tor Browser Developers (signing key) <torbrowser@torproject.org>
                    kounek7zrdx745qydx6p59t9mqjpuhdf@torproject.org
                    origin=ks last=2023-08-07

Retrieving the missing key from the OpenPGP keyserver did the trick, obtaining a subkey of the key retrieved from WKD:

$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 157432CF78A65729

pub  rsa4096/4E2C6E8793298290  created: 2014-12-15  expires: 2027-07-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     Tor Browser Developers (signing key) <torbrowser@torproject.org>

Do you want to import this key? (y/N) y
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" 3 new signatures
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" 1 new subkey
gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 3

$ gpg --list-keys torbrowser@torproject.org                    
pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2027-07-15]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
      origin=ks last=2023-08-07 url=https://keys.openpgp.org:443
uid                 [marginal] Tor Browser Developers (signing key) <torbrowser@torproject.org>
                    kounek7zrdx745qydx6p59t9mqjpuhdf@torproject.org
                    origin=ks last=2023-08-07 
sub   rsa4096/157432CF78A65729 2024-07-15 [S] [expires: 2026-10-26]

After this, the package build succeeded.

Note that the subkey was available on the OpenPGP keyserver but not on the Ubuntu keyserver.

In retrospect, I could've retrieved both keys with one command. This is what I'd recommend running in lieu of the gpg command suggested by @grufo:

$ gpg --auto-key-locate nodefault,wkd,keyserver --keyserver hkps://keys.openpgp.org --locate-keys torbrowser@torproject.org
pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2027-07-15]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
      origin=ks last=2023-08-07 url=https://keys.openpgp.org:443
uid                 [marginal] Tor Browser Developers (signing key) <torbrowser@torproject.org>
                    kounek7zrdx745qydx6p59t9mqjpuhdf@torproject.org
                    origin=ks last=2023-08-07 
sub   rsa4096/157432CF78A65729 2024-07-15 [S] [expires: 2026-10-26]

leuko commented on 2024-09-24 16:51 (UTC) (edited on 2024-09-24 17:09 (UTC) by leuko)

@ewtoombs, you probably: 1. did not import the GPG key. Try the pinned comment. 2. are trying to download behind a firewall that blocks the Tor site.

ewtoombs commented on 2024-09-20 04:06 (UTC)

I'm getting

==> ERROR: sha256sums does not allow empty values.
==> ERROR: sha256sums does not allow empty values.

It won't build.

zilvervos commented on 2024-09-06 22:03 (UTC)

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org generates this error:

gpg: error retrieving 'torbrowser@torproject.org' via WKD: End of file gpg: error reading key: End of file

Any ideas on how to proceed?

stracks commented on 2024-09-06 08:52 (UTC)

https://support.torproject.org/tbb/how-to-verify-signature/

Refreshing the PGP key

Run the following command to refresh the Tor Browser Developers signing key in your local keyring from the keyserver. This will also fetch the new subkeys.

gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

gok commented on 2024-09-06 05:53 (UTC)

@solarisfire: this error happened to me too. It is because the Tor Browser developpers used to a new subkey of their long-term PGP signing key. You simply need to re-imported the updated PGP key with

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

and the gpg signature check in makepkg will succeed.