[dale_glass]

Then you're using it wrong. GPG isn't adding anything to this that SHA256 wouldn't, and you're just relying on the SSL certificate.

Look at your list of CAs sometime. There's multiple national organizations there. Controlled by a government.

And any of those will be deemed as valid, so if you go to https://www.torproject.org/download/ and it's signed by a Chinese CA for some reason, to your browser that's perfectly fine.

> What are the chances the official site AND the archive were both compromised?

You're talking about a piece of software that's designed to hide stuff from state level actors. If you're in actual need of such a thing, that threat is pretty damn serious.

[rany_]

I agree with you here, unless you've vetted that GPG public key very well .... it is indeed no better than trusting the CA.

In a way, having JavaScript client-side verification of files as an option would be as secure (if not more secure) in most circumstances because it'd be more noob friendly. At the very least to ensure mirrors aren't doing anything nefarious.

[aborsy]

You download the Tor Browser key from a key server such as openpgp, and verify that the fingerprint is the same as that published in the Tor Browser as well as other websites. You can check who has signed that key also.

Once you verify the fingerprint, you import the key into your keyring and sign the key. It’s TOFU, so it’s done only once.

[dale_glass]

TOFU isn't the proper usage model for GPG, especially not for anything of actual importance.

GPG was made to be a self-contained system. It works based on chains of signatures (web of trust). The GPG program enforces this model, you must sign keys for a signature to be identified as valid. Approximations like "I can find the same key on this other website" aren't part of the intended model.

Key servers don't provide trust, they provide convenience. You may obtain keys from keyservers, but to actually trust a key you're supposed to do the work of verifying it. Eg, if you get my key from a keyserver the only legitimate reasons to trust it is that either you met me personally and compared fingerprints, or you trust somebody else who did that.