I can download Tor from torproject.org just fine, and I can use it just fine. The site even shows signatures alongside the Android APKs.
What I don’t get is how you verify it. The Tor Project (How can I verify Tor Browser's signature? | Tor Project | Support) tells you how to verify signatures on every OS offered except Android. I don’t see a hash, and I don’t know what to do with the signature file without Android instructions. How have others here done it?
I’m not using the Google Play Store.
Hey 4al — good question,
Verifying APKs on Android manually is a bit trickier than on desktop. Download the APK and .asc signature file from torproject.org directly. On your desktop/laptop, install GPG (GnuPG) if you haven’t already. Import the Tor Browser signing key (linked on their site), then use GPG to verify the .asc file against the APK.
gpg --verify tor-browser-xxx.apk.asc tor-browser-xxx.apk
If the signature checks out and matches the key fingerprint from torproject.org, then you can safely transfer the APK to your Android device via USB, SD card, etc., and install it. I know it’s weird that there’s no direct verification method on Android, but verifying on desktop before sideloading is a solid workaround.