On 2020-03-02 07:58, Georg Koppen wrote:
Hans Vader:Dear TOR people, I have a question regarding the updating mechanism of tor browser from within the browser. These updates are signed I stronly suppose. I would like to know, does checking these signatures depend on external programs like gpg? Is the signature verification application for updates part of the browser bundle itself?For updates we essentially use the Firefox updater and, yes, we are signing the update files.
Thanks for explaining.Have there ever been serious flaws in that signature verification mechanism? Would you regard it safe enough for the paranoid among us or would you advise to better download the full package and do the standard pgp verification? I read from some people who only do the latter and don´t use the builtin updater.
Thanls -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk