GitLab

It turns out that censored users are unlikely to be able to fetch our Tor Browser signing key: tpo/applications/tor-browser#40195 (closed)

One way to fix this issue is to attach the signing key to GetTor's email autoresponse. That's easy for us and convenient for the user. The downside is that users have to place more trust in GetTor's autoresponse. So far, if Alice receives a spoofed GetTor response and downloads a malicious Tor Browser, she can still detect this attack by getting her signing key from an independent source. If GetTor's response email provides both Tor Browser links and the signing key, Alice would fall for the attack.