Hi,
Thank you for reporting this.
We do have a link to “Verify Tor Browser Signature” on that page as well as a link to the signatures themselves under the "Advanced Install Options” link.
We appreciate your feedback, this will help us evaluate ways to highlight this process and make it more visible from the main download page.
Pili
— Project Manager: Tor Browser, UX and Community teams pili at torproject dot org gpg 3E7F A89E 2459 B6CC A62F 56B8 C6CB 772E F096 9C45
On Saturday, Mar 30, 2019 at 10:44 PM, mwnx <mwnx@gmx.com (mailto:mwnx@gmx.com)> wrote: Hello,
The new download page [1] does not provide links to the signature files needed to check that the provided tor browser bundles have indeed been produced and/or approved by the tor browser team.
Such signatures are important for software in general, but it is especially worrying when they are lacking from an inherently privacy and security focused project like tor. In the end, I managed to find the signature file by appending `.asc` to the bundle URL, but others might not think of doing that, and besides, I feel like we should promote security best practices by encouraging people to check the signature.
While I'm at it, thank you all for your contributions to this critical piece of FOSS software.
[1] https://www.torproject.org/download/
-- mwnx GPG: AEC9 554B 07BD F60D 75A3 AF6A 44E8 E4D4 0312 C726 ________________________________________________________________________ Tor Website Team coordination mailing-list
To unsubscribe or change other options, please visit: https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team