downloadbundle

Note

This command requires the optional txsocksx library to be installed. Simply a pip install txsocksx

The downloadbundle command figures out what the latest Tor Browser Bundle is (from check.torproject.org), downloads the package for your operating system and (optionally) extracts it. It has bundled certificates for torproject.org and checks that the public keys are the same. It also checks the signature on the downloaded bundle, using bundled keys for Tor people or (optionally) the current user’s GnuPG keychain.

To use your own keychain, use --system-keychain (-K). By default, the command builds a tempdir for GnuPG and imports the bundled keys (of Tor people who typically sign the release) there.

Use --beta (-b) to download the latest Beta release instead (if available).

Use --no-extract (-E) if you do not wish to extract the bundle after downloading. You additionally need backports.lzma installed for this to work.

If you’re really feeling adventurous, don’t have a system Tor running, or can’t install txsocksx for some reason, you can (completely inadvisably) pass --use-clearnet to download over the plain Internet. Of course, you still get the certificate pins and signature checking.

Examples

$ carml downloadbundle -e
Getting recommended versions from "https://check.torproject.org/RecommendedTBBVersions".
   3.6-Linux, 3.6-MacOS, 3.6-Windows, 3.6.1-Linux, 3.6.1-MacOS,
   3.6.1-Windows
tor-browser-linux64-3.6.1_en-US.tar.xz.asc: already exists, so not downloading.
tor-browser-linux64-3.6.1_en-US.tar.xz: already exists, so not downloading.
gpg: Signature made Tue 06 May 2014 05:37:07 PM MDT using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
gpg:                 aka "Erinn Clark <erinn@debian.org>"
gpg:                 aka "Erinn Clark <erinn@double-helix.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
Signature is good.
Extracting "tor-browser-linux64-3.6.1_en-US.tar.xz"...
  decompressing...
   20% extracted
   40% extracted
   60% extracted
   80% extracted
  100% extracted
Tor Browser Bundle downloaded and extracted.
To run:
   ./tor-browser_en-US/start-tor-browser

Note that for users who have a valid trust-path to Erinn Clark, using --system-keychain would avoid the WARNING: from GnuPG.