Unable to install Tor Browser - PGP signatures could not be verified


This is the error:

Building tor-browser…
Cloning into ‘tor-browser’…
==> Making package: tor-browser 8.0.1-1 (mié 26 sep 2018 01:34:35 CEST)
==> Checking runtime dependencies…
==> Checking buildtime dependencies…
==> Retrieving sources…
-> Found tor-browser.desktop
-> Found tor-browser.png
-> Found tor-browser.sh
-> Downloading tor-browser-linux64-8.0.1_en-US.tar.xz…
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 71.4M 100 71.4M 0 0 180k 0 0:06:46 0:06:46 --:–:-- 108k
-> Downloading tor-browser-linux64-8.0.1_en-US.tar.xz.asc…
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 801 100 801 0 0 666 0 0:00:01 0:00:01 --:–:-- 666
==> Validating source files with sha256sums…
tor-browser.desktop … Passed
tor-browser.png … Passed
tor-browser.sh … Passed
==> Validating source_x86_64 files with sha256sums…
tor-browser-linux64-8.0.1_en-US.tar.xz … Skipped
tor-browser-linux64-8.0.1_en-US.tar.xz.asc … Skipped
==> Verifying source file signatures with gpg…
tor-browser-linux64-8.0.1_en-US.tar.xz … FAILED (unknown public key EB774491D9FF06E2)
==> ERROR: One or more PGP signatures could not be verified!

gpg --recv-keys EB774491D9FF06E2


Thanks. Why do I have to add it manually though?


It is an aur package, not official, there for not in the keyring.


[standard thing about tor directing you to only use its files and open it locally… but that the aur package simply seems to automate this]


In the #faq section:

I mean… how many times is this question going to be asked?


I am new to Manjaro, just migrated from Ubuntu. This one question I didn’t see. It will be asked multiple times unless you make a piece of code that detects “ERROR: One or more PGP signatures could not be verified!” and suggests “Please add the key manually as follows: gpg --recv-key KEY”. I thought this is an error with the package itself or the repos and I need assistance before I do something stupid, this is why I asked on the forum. I understand for you it is frustrating, but it is not any user’s fault for not reading all of Manjaro’s FAQ. Thank you for your work. I love Manjaro and the community is very kind and supportive.


Sooo… the banner about “How to search the forum” and the FAQ section are useless… :sob:

Edit: should just make sure to point out this is a running joke on the forum and I’m not being (totally) serious…

Anyway, welcome to Manjaro. :wink:


Nope, not at all. I fixed several stuff using them. Sorry that I missed that one, but I gave you an example of how you may be able to improve on it if possible. Anyways, thank you again for your work. Can’t tell you how much I appreciate what you guys do. Cheers!


I guess until Pamac gets a function that adds all keys present in validpgpkeys= to the user’s keyring. :smiley:


It is becoming, you can find that error a lot of times both in the forum and in internet. Regardless of this weclome to the forum :grin:

@tiotrom @Frog There is an interesting reading here: http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/


Yes, that’s why I specified the user’s keyring, not the package manager’s one.


Automatically add all the keys is like having no keys


Well, at the very least, there is some verification; PGP checks aren’t completely ignored. But sure, a “Skip PGP checks” instead of “Automatically add required PGP public keys” would produce pretty much the same practical result in the end: not being bothered with “Unknown public key” error.

Anyway, it’s not like the majority of users here just blindly add PGP keys without checking if the required public keys actually belongs to the right person. That feature would just save time since we won’t have to type gpg --recv-keys BLABLABLA everytime.

It could just be an option in Preferences, and turned off by default too. If you really want, you can mark it as (Not recommended). But at least, it would be there.


Automatically adding PGP keys as trusted is a bad idea. Noone should implement that.

The AUR is not part of Manjaro (or Arch, strictly speaking) - it is a community-run resource which makes available untrusted, unverified, and potentially harmful content. Yes, most stuff is fine, but it’s still up to you to check that content and accept the risks of using it.


I’d like to see Pamac show a dialog box with a warning about the AUR being untrusted along with a link to the package’s AUR page with the option to import the keys into the user ring and continue/restart. When I encounter keys not in my ring, I check the AUR page and then generally import the key.

I don’t use the AUR unless I need to. Having to restart a command after adding the keys is annoying but it doesn’t really stop me from using the AUR.


You can file a feature request on its project page:


That never occurred to me. I’ll file one as soon as I can. Thanks!

closed #19

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.