Tor Browser Launcher fails initial download signature verification

What is the output of:

sudo apt-get update; lsb_release -a; uname -a

Thanks

$ sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Get:4 http://security.ubuntu.com/ubuntu xenial-security/main amd64 DEP-11 Metadata [50.0 kB]
Get:5 http://security.ubuntu.com/ubuntu xenial-security/main DEP-11 64x64 Icons [39.7 kB]
Get:6 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 DEP-11 Metadata [32.1 kB]
Get:7 http://security.ubuntu.com/ubuntu xenial-security/universe DEP-11 64x64 Icons [37.0 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [485 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [476 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 DEP-11 Metadata [288 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu xenial-updates/main DEP-11 64x64 Icons [186 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [429 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe i386 Packages [421 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 DEP-11 Metadata [139 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe DEP-11 64x64 Icons [169 kB]
Get:17 http://us.archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 DEP-11 Metadata [2,520 B]
Get:18 http://us.archive.ubuntu.com/ubuntu xenial-backports/main amd64 DEP-11 Metadata [3,328 B]
Fetched 3,064 kB in 5s (529 kB/s)
Reading package lists... Done

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ uname -a
Linux Dell21D 4.8.0-39-generic #42~16.04.1-Ubuntu SMP Mon Feb 20 15:06:07 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

What is the output of:

apt-cache policy `dpkg -l | awk {'print $2'} | grep tor`

Thanks

Selected results from the command include:

tor:
  Installed: 0.2.7.6-1ubuntu1
  Candidate: 0.2.7.6-1ubuntu1
  Version table:
 *** 0.2.7.6-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status
tor-geoipdb:
  Installed: 0.2.7.6-1ubuntu1
  Candidate: 0.2.7.6-1ubuntu1
  Version table:
 *** 0.2.7.6-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
        100 /var/lib/dpkg/status
torbrowser-launcher:
  Installed: 0.2.4-1
  Candidate: 0.2.4-1
  Version table:
 *** 0.2.4-1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status
torsocks:
  Installed: 2.1.0-2
  Candidate: 2.1.0-2
  Version table:
 *** 2.1.0-2 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

There were also entries for the following packages, which I can provide if they are relevant:
a11y-profile-manager-indicator, gir1.2-appindicator3-0.1, gnome-calculator, gnome-system-monitor, indicator-application, indicator-appmenu, indicator-bluetooth, indicator-datetime, indicator-keyboard, indicator-messages, indicator-power, indicator-printers, indicator-session, indicator-sound, language-selector-common, language-selector-gnome, libappindicator3-1, libatk-adaptor, libgirepository-1.0-1, libindicator3-7, libraptor2-0, unity-scope-calculator, usb-creator-common, usb-creator-gtk

If you run:

torbrowser-launcher

Is there any useful information in the terminal?

The command output in terminal was:

$ torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.4
https://github.com/micahflee/torbrowser-launcher
Downloading and installing Tor Browser for the first time.
Downloading https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US
Latest version: 6.5
Downloading https://dist.torproject.org/torbrowser/6.5/tor-browser-linux64-6.5_en-US.tar.xz.asc
Downloading https://dist.torproject.org/torbrowser/6.5/tor-browser-linux64-6.5_en-US.tar.xz
Verifying signature

The usual "SIGNATURE VERIFICATION FAILED" message was also displayed in the GUI interface.

FWIW, running the command put three files in ~/.cache/torbrowser/download:
-rw-rw-r-- 1 myusrnm myusrnm 629 Mar 6 11:51 release.xml
-rw-rw-r-- 1 myusrnm myusrnm 70893640 Mar 6 11:59 tor-browser-linux64-6.5_en-US.tar.xz
-rw-rw-r-- 1 myusrnm myusrnm 801 Mar 6 11:51 tor-browser-linux64-6.5_en-US.tar.xz.asc

The tor-browser-linux64-6.5_en-US.tar.xz file has a SHA512 hash value of:
39ff459b2e2ef0a5b2ca22c48aadb7277566a2b863ae8995446beff074f5dc959d6fcd72dc359877b7a160e2ec7a9e6230956cb088317d0a9c88aa5c52d62025

The release.xml file consists of:
<?xml version="1.0" encoding="UTF-8"?>
<updates><update type="minor" displayVersion="6.5" appVersion="6.5" platformVersion="45.7.0" buildID="20170201080101" detailsURL="https://blog.torproject.org/blog/tor-browser-65-released" actions="showURL" openURL="https://blog.torproject.org/blog/tor-browser-65-released"><patch URL="https://cdn.torproject.org/aus1/torbrowser/6.5/tor-browser-linux64-6.5_en-US.mar" hashFunction="SHA512" hashValue="0998e5579b62bbd2750af36687090697989a00f0e319e4f046c548c659137df68fb055d1e87e58adf84d7ee60856002d8a216f1e77c4855f5b68a359597143a7" size="89325241" type="complete"></patch></update></updates>

The *.asc file contains:
-----BEGIN PGP SIGNATURE-----

iQIcBAABCgAGBQJYh2fpAAoJENFIP6bDwHE2DXcP/1iN5Ekx7Kin80JaHYQLDSbO
EQJRsDcbaAXkQsEzvx8JTVrcsx9OMF4FMtN01UlefsIKr2LJOxo1eFrLPhVokD3X
EsAOx12QSz4GD4JbAVu/SsKWYbcIlvILISwJlSf0DhFEig/DdX57SrBmmMRCwzaV
tat+T8pL91Ky93MGAscJauzZQrAME7DFjzqAX6U8YUij59ccW/L6HZMvHB9Uu2U5
c3duuyEZ53qL6793UViXyaVZRv8ArgEwgHvegy3dgQTwIqfRmXbb1UVwA01M2w+r
ZhSWBHqG4eQYArd5RtmaQs7cWFDoZ/gsN9zynzcCivrt1S11tOb9JN1horzGO14h
3vhUd1xV7dxffoqwktg3bdXeQ1SuuXYEDjaym60sNIqtrV0ei90bxYaGLXciQE0P
xx8HewO1wCfgVaBppNkMTArntVUYNoJ/kSBs9WU6AipB45zOfb3fANKUN0LLJnvX
aSlKRJsh4zUuG9WUWCfG8IdUcrknMF/MBNHcx1mqFLLVOnn53FkipzvCfeVNIEpA
RwsBLbCyVXAyreAPW/WGemmZeFFu7wcJDmExOHJQ+kNupZhjyoqbGXCwpvzy1g2A
9znAV944HiJIDreZ3YnUufpZx6B6TKWu0qOkzNNwuRoZ3kXkInTyRYByZUEDZ/pS
9oJpW+cGBu0tU+zQQOj3
=V+1t
-----END PGP SIGNATURE-----

All I can suggest is that you report a bug

Thanks for your help. I did file a bug report, which is at:
    https://bugs.launchpad.net/bugs/1670506

Based on some additional diagnosis, here is a useful work-around until that fix gets backported to the 16.04 LTS.

After the signature verification fails, cancel the "SIGNATURE VERIFICATION FAILED" message, open a terminal, and enter the work-around command:

gpg --homedir ~/.local/share/torbrowser/gnupg_homedir \
    --keyserver pool.sks-keyservers.net \
    --recv-keys 0x4E2C6E8793298290

(Type it all on one line without the backslashes, or type it on separate lines and be sure not to type a space on the same line after a backslash.)

Then restart the torbrowser-launcher. The downloads and signature verification should now work (they did for me).

The reason this works (or at least why it worked for me) is as follows:

The signature verification fails because the torbrowser-launcher package is missing a more up-to-date signing key from the Tor developers. You can verify that is the problem by changing to the ~/.cache/torbrowser/download directory and running a near equivalent of the verification command that torbrowser-launcher runs:

gpg --homedir ~/.local/share/torbrowser/gnupg_homedir --verify tor-browser*.xz.asc tor-browser*.xz

(In my case, the file names were tor-browser-linux64-6.5.1_en-US.tar.xz.asc and tor-browser-linux64-6.5.1_en-US.tar.xz.asc )

When I ran that command, it displayed the following messages:

gpg: Signature made Mon 06 Mar 2017 07:11:54 AM PST using RSA key ID C3C07136
gpg: Can't check signature: public key not found

You can verify that the key with ID C3C07136 is missing from the launcher's keyring by running the command:

gpg --homedir ~/.local/share/torbrowser/gnupg_homedir --list-keys

which in my case displayed messages:

/home/myid/.local/share/torbrowser/gnupg_homedir/pubring.gpg
------------------------------------------------------------
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key) <email address hidden>
sub 4096R/F65C2036 2014-12-15
sub 4096R/D40814E0 2014-12-15
sub 4096R/589839A3 2014-12-15

After running the above --recv-keys work-around command, that same --list-keys command displayed messages:

/home/myid/.local/share/torbrowser/gnupg_homedir/pubring.gpg
------------------------------------------------------------
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
uid Tor Browser Developers (signing key) <email address hidden>
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

i.e. with the previously missing key, C3C07136, now available for signature verification.

Note that in the --recv-keys work-around command, the value of 0x4E2C6E8793298290 came from the Tor Project's web page explaining how to verify signatures:
    https://www.torproject.org/docs/verifying-signatures.html.en

which recommends the command:
    gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

The suggested work-around command just adds the --homedir option to put the keys in the special torbrowser-launcher keyring. Before running the work-around command you might want to verify that the Tor Project has not changed its recommendation.