How to verify that you have the right version Before running the Tor Browser Bundle, you should make sure that you have the right version. The software you receive is accompanied by a file with the same name as the bundle and the extension .asc. This .asc file is a GPG signature, and will allow you to verify the file you've downloaded is exactly the one that we intended you to get. Before you can verify the signature, you will have to download and install GnuPG: Windows: http://gpg4win.org/download.html Mac OS X: http://macgpg.sourceforge.net/ Linux: Most Linux distributions come with GnuPG preinstalled. Please note that you may need to edit the paths and the commands used below to get it to work on your system. Erinn Clark signs the Tor Browser Bundles with key 0x63FEE659. To import Erinn's key, run: gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659 After importing the key, verify that the fingerprint is correct: gpg --fingerprint 0x63FEE659 You should see: pub 2048R/63FEE659 2003-10-16 Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 uid Erinn Clark uid Erinn Clark uid Erinn Clark sub 2048R/EB399FD7 2003-10-16 To verify the signature of the package you downloaded, run the following command: gpg --verify tor-browser-2.2.33-2_en-US.exe.asc tor-browser-2.2.33-2_en-US.exe The output should say "Good signature". A bad signature means that the file may have been tampered with. If you see a bad signature, send details about where you downloaded the package from, how you verified the signature, and the output from GnuPG in an email to help@rt.torproject.org. Once you have verified the signature and seen the "Good signature" output, go ahead and extract the package archive. You should then see a directory similar to tor-browser_en-US. Inside that directory is another directory called Docs, which contains a file called changelog. You want to make sure that the version number on the top line of the changelog file matches the version number in the filename.