Tor Browser Download and Verification Guide
Overview
This guide walks you through securely downloading, verifying, and installing Tor Browser on a fresh Linux system. GPG verification ensures the file is authentic and hasn't been tampered with.
Verifying the GPG signature proves the download came from the Tor Project and wasn't modified by attackers. This is critical for privacy software.
Tor Browser Version: 15.0.2 (update version number in commands as needed)
Step 1: Create a Directory for Tor Browser
First, create a dedicated folder to keep things organized:
mkdir -p ~/Downloads/Tor_Browser
cd ~/Downloads/Tor_BrowserStep 2: Download Tor Browser and Signature File
You need two files: the Tor Browser archive and its GPG signature file.
Option A: Download via Browser
- Go to: https://www.torproject.org/download/
- Download the Linux (64-bit) version
- Also download the .asc signature file (click "Signature" link next to the download)
- Move both files to your
~/Downloads/Tor_Browserdirectory
Option B: Download via Terminal (wget)
# Download Tor Browser (update version number as needed)
wget https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz
# Download the signature file
wget https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz.ascOption C: Download via Terminal (curl)
# Download Tor Browser
curl -O https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz
# Download the signature file
curl -O https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz.ascStep 3: Verify You Have Both Files
ls -laExpected output:
tor-browser-linux-x86_64-15.0.2.tar.xz
tor-browser-linux-x86_64-15.0.2.tar.xz.ascYou should see:
.tar.xz— The Tor Browser archive.tar.xz.asc— The GPG signature file
Step 4: Import the Tor Browser Developers Signing Key
Method 1: Auto-locate via WKD (Preferred)
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.orgMethod 2: Import from Keyserver
gpg --keyserver keyserver.ubuntu.com --recv-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290Expected output (either method):
pub rsa4096 2014-12-15 [C] [expires: 2027-07-15]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2024-07-15 [S] [expires: 2026-10-26]The fingerprint MUST match exactly:
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Step 5: Verify the Signature
gpg --verify tor-browser-linux-x86_64-15.0.2.tar.xz.asc tor-browser-linux-x86_64-15.0.2.tar.xzStep 6: Interpret the Results
✅ GOOD — Safe to Use
Look for this in the output:
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"And verify the primary key fingerprint:
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290If you see "Good signature" and the fingerprint matches, your download is authentic. Proceed to extraction.
⚠️ WARNING — Can Be Ignored
This warning is normal and safe to ignore:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.This appears because you haven't personally signed the Tor Project's key in your GPG keyring. It does NOT mean the file is compromised.
❌ BAD — Do Not Use
If you see this, DELETE the files immediately and re-download:
gpg: BAD signature from "Tor Browser Developers..."
Step 7: Extract Tor Browser
tar -xvf tor-browser-linux-x86_64-15.0.2.tar.xzThis creates a tor-browser directory.
Step 8: Run Tor Browser
cd tor-browser
./start-tor-browser.desktopOr register it with your desktop environment (adds to application menu):
./start-tor-browser.desktop --register-appStep 9: (Optional) Move to Permanent Location
If you want Tor Browser in a standard location:
# Move to /opt (system-wide)
sudo mv ~/Downloads/Tor_Browser/tor-browser /opt/tor-browser
# Or keep in home directory
mv ~/Downloads/Tor_Browser/tor-browser ~/tor-browserUpdate your launch command accordingly.
Quick Reference: All Commands
All commands in one place for quick reference.
# 1. Create directory and navigate to it
mkdir -p ~/Downloads/Tor_Browser
cd ~/Downloads/Tor_Browser
# 2. Download files (update version as needed)
wget https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz
wget https://www.torproject.org/dist/torbrowser/15.0.2/tor-browser-linux-x86_64-15.0.2.tar.xz.asc
# 3. Import GPG key
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
# 4. Verify signature
gpg --verify tor-browser-linux-x86_64-15.0.2.tar.xz.asc tor-browser-linux-x86_64-15.0.2.tar.xz
# 5. Extract (only if verification passed)
tar -xvf tor-browser-linux-x86_64-15.0.2.tar.xz
# 6. Run
cd tor-browser
./start-tor-browser.desktopTroubleshooting
"gpg: command not found"
Install GPG:
sudo apt update
sudo apt install gnupg"wget: command not found"
Install wget:
sudo apt install wgetKey import fails
Try alternative keyservers:
gpg --keyserver keys.openpgp.org --recv-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290Or:
gpg --keyserver pgp.mit.edu --recv-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290Signature verification fails with "No public key"
The key wasn't imported. Go back to Step 4 and import it.
Official Resources
- Tor Project Website: https://www.torproject.org
- Tor Browser Download: https://www.torproject.org/download/
- Signature Verification Guide: Official Tor Verification Docs
- Official Signing Key Fingerprint:
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Notes
- Always verify downloads before running them
- The signing key fingerprint may change over time — verify it on the official Tor Project website
- Update the version number (15.0.2) in commands when downloading newer versions
- Tor Browser will auto-update itself after installation