Official reference : How can I verify Tor Browser's signature?
1. Download installer for macOS (.dmg)
2. Download corresponding signature file
3. Ensure GPG exists if not, install GnuPG (GPG)
4. Open Terminal
5. Use command below to fetch the Tor Developers key
> gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
6. The above command will produce something like the following response
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
pub rsa4096 2014-12-15 [C] [expires: 2025-07-21]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2018-05-26 [S] [expires: 2022-01-04]~ took 13s
7. After importing the key, save it to file named tor.keyring
> gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
8. Verify the signature of the tor package downloaded by comparing it with its corresponding signature file
> gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-10.5.6-osx64_en-US.dmg.asc ~/Downloads/TorBrowser-10.5.6-osx64_en-US.dmg
9. The result of the above command should show something like the following. Take note of the "Good signature" in the response:
gpgv: Signature made Wed Sep 8 11:14:41 2021 PST
gpgv: using RSA key EB774491D9FF06E2
gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
10. Done.
