Hi,

Thank you for reporting this.

We do have a link to “Verify Tor Browser Signature” on that page as well as a link to the signatures themselves under the "Advanced Install Options” link.

We appreciate your feedback, this will help us evaluate ways to highlight this process and make it more visible from the main download page. 

Pili

Project Manager: Tor Browser, UX and Community teams
pili at torproject dot org 
gpg 3E7F A89E 2459 B6CC A62F 56B8 C6CB 772E F096 9C45

On Saturday, Mar 30, 2019 at 10:44 PM, mwnx <mwnx@gmx.com> wrote:
Hello,

The new download page [1] does not provide links to the signature
files needed to check that the provided tor browser bundles have
indeed been produced and/or approved by the tor browser team.

Such signatures are important for software in general, but it is
especially worrying when they are lacking from an inherently privacy
and security focused project like tor. In the end, I managed to find
the signature file by appending `.asc` to the bundle URL, but others
might not think of doing that, and besides, I feel like we should
promote security best practices by encouraging people to check the
signature.

While I'm at it, thank you all for your contributions to this
critical piece of FOSS software.

[1] https://www.torproject.org/download/

--
mwnx
GPG: AEC9 554B 07BD F60D 75A3 AF6A 44E8 E4D4 0312 C726
________________________________________________________________________
Tor Website Team coordination mailing-list

To unsubscribe or change other options, please visit:
https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team