GitLab

The documentation for verifying signatures located here - https://2019.www.torproject.org/docs/verifying-signatures.html.en has not been updated to reflect the process required since the key was poisoned. The docs here - https://support.torproject.org/#how-to-verify-signature have been.

Specifically the process for importing the key needs to be - gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

and verifying the key - gpg --fingerprint EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

Alternatively the page should be a link to the currently accurate documentation.

Trac:
Username: shrike