Warning: file_exists(): open_basedir restriction in effect. File(/srv/http/vhosts/aur.archlinux.org/public/web/locale//en/LC_MESSAGES/aurweb.mo) is not within the allowed path(s): (/srv/http/vhosts/aur-dev.archlinux.org/:/etc/aurweb/) in /srv/http/vhosts/aur-dev.archlinux.org/public/web/lib/streams.php on line 90
AUR (en) - tor-browser-bin

Notice: Undefined variable: name in /srv/http/vhosts/aur-dev.archlinux.org/public/web/lib/pkgfuncs.inc.php on line 248

Package Details: tor-browser-bin 6.5-1

Git Clone URL: https://aur-dev.archlinux.org/tor-browser-bin.git (read-only)
Package Base: tor-browser-bin
Description: Tor Browser is +1 for privacy and -1 for mass surveillance
Upstream URL: https://www.torproject.org/projects/torbrowser.html.en
Licenses: GPL
Submitter: flacks
Maintainer: nicepack
Last Packager: funilrys
Votes: 27
Popularity: 4.598280
First Submitted: 2016-03-20 17:10
Last Updated: 2017-01-27 06:58

Latest Comments

nicepack commented on 2017-01-30 23:06

the package has been disowned

i've adopted it

fightcookie commented on 2017-01-30 22:37

@pepper_chico You are probably only missing the key on your pc ;)
As explained by user yar in the tor-browser-en package:

"* If the signer of the .asc file is not known by your build user's gpg keyring, your error message will be: "unknown public key"
* If validgpgkeys doesn't exist and the key isn't *TRUSTED* by your build user's gpg keyring, your error message will be: "the public key %s is not trusted"
* If validgpgkeys exists and the *MASTER KEY* isn't listed there, your error message will be: "invalid public key"
* Again, it checks against the *MASTER KEY*. Listing the subkey does nothing. See line 239: "If the file was signed with a subkey, arg10 contains the fingerprint of the primary key"

Note that makepkg has no code for retrieving signatures. It relies on you to --recv-key on your own. The validgpgkeys code doesn't even execute until makepkg has queried your build user's gpg keyring. So no matter what you need to --recv-key, which only downloads the key and does not imply that you fully trust it (for that you would run --edit-key). Validgpgkeys is used in lieue of fully trusting the key, but you still need to download it yourself. If you don't want to interact with GPG on your own, then run makepkg --skippgpcheck. There is no other way."

You need to have the key downloaded to check it against the signature file, then the validgpgkeys is used to trust this key, but this is done by only including the fingerprint of the key in validgpgkeys, not the key itself.

You can also tell gnupg to always automatically retrieve missing keys when trying to verify a signature against this key id, that is not downloaded, see tip field here (you can even let it retrieve it over Tor easily): https://wiki.archlinux.org/index.php/GnuPG#Use_a_keyserver

pepper_chico commented on 2017-01-30 05:48

I'm also waiting for validpgpkeys...

fightcookie commented on 2017-01-06 02:14

Can you please change the validpgpkeys to the correct ones since the current ones are not the ones the package is signed with?
https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys

f4bio commented on 2016-08-27 16:03

although flagged out of date, in-app updating (to 6.0.4/Mozilla Firefox 45.3.0) works without problems

mikhail.prid7ko commented on 2016-07-22 18:25

If you want to install the package in its current state into i686 architecture, don't forget to change PKGBUILD file: in if-statement's condition of 'package()' function change all single quotes to doube quotes.

Reason: no shell variable interpolation takes place in single quotes. Consequently condition is always false, so selecting 'x86_64' branch. Change forces interpolation for CARCH variable set for (by?) 'makepkg'.

flacks commented on 2016-04-14 14:17

Run `gpg --keyserver pgp.mit.edu --recv-keys 2E1AC68ED40814E0`

marmistrz commented on 2016-04-14 13:43

==> Verifying source file signatures with gpg...
tor-browser-linux64-5.5.4_en-US.tar.xz ... FAILED (unknown public key 2E1AC68ED40814E0)
==> ERROR: One or more PGP signatures could not be verified!