tor-browser-linux-x86_64-13.0.6.tar.xz signed with outdated gpg signature creation timestamp - easily confused as downgrade attack
-
Release date: December 5, 2023
-
Signature creation date: 2022
gpg --verify tor-browser-linux-x86_64-13.0.6.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux-x86_64-13.0.6.tar.xz'
gpg: Signature made Mon 08 Aug 2022 02:35:39 PM EDT
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [undefined]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF
Tor Browser Downloader (by Whonix developers) detects this as a downgrade attack.
Hence, correct (actual date) signature creation times would be better. The best possible case would be that this was simply an oversight, a broken/slow clock on the machine that signs official Tor Browser releases.