I can download Tor from torproject.org just fine, and I can use it just fine. The site even shows signatures alongside the Android APKs.
What I don’t get is how you verify it. The Tor Project (How can I verify Tor Browser's signature? | Tor Project | Support) tells you how to verify signatures on every OS offered except Android. I don’t see a hash, and I don’t know what to do with the signature file without Android instructions. How have others here done it?
I’m not using the Google Play Store.
Hey 4al — good question,
Verifying APKs on Android manually is a bit trickier than on desktop. Download the APK and .asc signature file from torproject.org directly. On your desktop/laptop, install GPG (GnuPG) if you haven’t already. Import the Tor Browser signing key (linked on their site), then use GPG to verify the .asc file against the APK.
gpg --verify tor-browser-xxx.apk.asc tor-browser-xxx.apk
If the signature checks out and matches the key fingerprint from torproject.org, then you can safely transfer the APK to your Android device via USB, SD card, etc., and install it. I know it’s weird that there’s no direct verification method on Android, but verifying on desktop before sideloading is a solid workaround.
Thank you very much for this information. It’s definitely a strange workaround. I would be curious to see if others at privacy guides have done more or less the same thing. Is it a bad idea, then, to get Tor through Obtainium? Is it normal for AppVerifier to not have it in its database?
Obtainium doesn’t do any verification.
FFUpdater does verify all apps it supports however.
AppVerifier doesn’t have Tor Browser: AppVerifier/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt at a5fb0bb45b4b13434fe6e3d4739aef46791dbd40 · soupslurpr/AppVerifier · GitHub
iirc the dev was being weird and not allowing apps to be added to it
Is it related to being “Firefox based”, he’s close to GOS community, so probably not there because it being less secure.
I think that by through obtainium, I mean ‘hooking it up to’ obtainium? Where obtainium has it in its app list, and can check its updates. I am guessing the Tor app may be self updating, so it may not be necessary, so I was more wondering whether it was a good idea to ‘hook Tor up,’ or if the correct verification method-- which, from previous replies, seems to include transferring the APK file from desktop-- makes this unfeasible.
I should note that I am something of an amateur.
I woud also like to ask around a final time before going ahead with James’ solution:
Is James’ way the agreed upon way to verify Android Tor? Has anyone here done it differently?
(Or does the privacy community generally avoid Tor on mobile for it being Gecko-based?)
Termux (homepage, Fdroid) has a GnuPG package. It may be possible to use that to verify signatures but I haven’t tried it myself yet.
Before I go forward with this method, if you’d be so inclined, I’d like to ask how you figured this out, and if there are any sources (especially official, but even if not) you’d be able to cite for this method. It seems like such a strange roundabout method (not your fault, you’re only the messenger) and I suppose it’s just for curiosity and peace of mind’s sake to see if anyone else/how many other users use it.
(Off-topic, but I apologize for replying to you so many times before, when only one of the replies was meant for you. I don’t really know how replying to multiple different people works within replies written through email.)
I tried GnuPG on Termux.
pkg install gnupg
gpg --import TOR_BROWSER_PGP_KEY
gpg --verify APK_SIG APK