I'm attempting to install Tor, but I can't get the signing key to verify the download.
$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg: invalid auto-key-locate list
gpg: Invalid option "--locate-keys"
Ubuntu 16.04 LTS Any help would be greatly appreciated.
Thanks
There are two versions of the gpg command available in Ubuntu 16.04, in separate packages:
gnupg, which is GnuPG version 1.4.20; andgnupg2, which is GnuPG version 2.1.11.The --locate-keys option was added in 2.0.10, as was the nodefault value for --auto-key-locate. Given that you're unable to use the --locate-keys option, I strongly suspect that the version of GnuPG you're running is version 1.4.20.
To run the newer version of GnuPG on an Ubuntu 16.04 system, you need to install the gnupg2 package, and use the gpg2 command rather than gpg.
However, WKD support was added in GnuPG 2.1.12, which means that even using gpg2 you won't be able to run the command given on the Tor project webpage. However...
The WKD protocol is a public one, and via the magic of tutorials like this one I've figured out that the key you need can be downloaded via HTTPS. Thus, the complete command you can use (which should, I think, work even in GnuPG 1.4.20) looks like this:
wget -O - https://openpgpkey.torproject.org/.well-known/openpgpkey/hu/kounek7zrdx745qydx6p59t9mqjpuhdf | gpg --import
