I mean sure, there's a bunch of developers out there signing their code with GPG. But have you actually tried verifying it properly?

To verify the tor browser correctly, you need a trust path.

Option A: You've met at least one of them directly, and for some reason decided to sign a key with the label "Tor Browser Developers" on it. How did that person prove to you that they're a legitimate Tor developer? That's a pretty tricky thing to demonstrate.

Option B: You've signed the key of somebody who did the above. Same problem, but even more dubious.

Technically, GPG allows longer trust paths, you can do Alice -> Bob -> Carol -> Tor, or I think even Alice -> Bob -> Carol -> Dave -> Tor. But the software won't help you with this.

To do the first, you download the Tor key, look at who signed it, download all those keys, and hope that one of those might have a signature by somebody you know on it.

To do the second... you're on your own. You can do a brute force key download, where you download thousands of keys in the hopes of some connection being found, and blowing up the size of your keyring. This will add lots of random people into whatever UI you use and slow down every GPG invocation. And you'll need to write some sort of shell script for that, it's a pain.

I don't agree, it's dead simple:

For your example,

1. Download the software form the official website.

2. Verify the signature.

3. Done. If you are very concerned, you can double check the signature from a previous version from the Way back Machine.

What are the chances the official site AND the archive were both compromised?

Then you're using it wrong. GPG isn't adding anything to this that SHA256 wouldn't, and you're just relying on the SSL certificate.

Look at your list of CAs sometime. There's multiple national organizations there. Controlled by a government.

And any of those will be deemed as valid, so if you go to https://www.torproject.org/download/ and it's signed by a Chinese CA for some reason, to your browser that's perfectly fine.

> What are the chances the official site AND the archive were both compromised?

You're talking about a piece of software that's designed to hide stuff from state level actors. If you're in actual need of such a thing, that threat is pretty damn serious.

I agree with you here, unless you've vetted that GPG public key very well .... it is indeed no better than trusting the CA.

In a way, having JavaScript client-side verification of files as an option would be as secure (if not more secure) in most circumstances because it'd be more noob friendly. At the very least to ensure mirrors aren't doing anything nefarious.

You download the Tor Browser key from a key server such as openpgp, and verify that the fingerprint is the same as that published in the Tor Browser as well as other websites. You can check who has signed that key also.

Once you verify the fingerprint, you import the key into your keyring and sign the key. It’s TOFU, so it’s done only once.

TOFU isn't the proper usage model for GPG, especially not for anything of actual importance.

GPG was made to be a self-contained system. It works based on chains of signatures (web of trust). The GPG program enforces this model, you must sign keys for a signature to be identified as valid. Approximations like "I can find the same key on this other website" aren't part of the intended model.

Key servers don't provide trust, they provide convenience. You may obtain keys from keyservers, but to actually trust a key you're supposed to do the work of verifying it. Eg, if you get my key from a keyserver the only legitimate reasons to trust it is that either you met me personally and compared fingerprints, or you trust somebody else who did that.