download.inline.html 27 KB
Newer Older
1 2 3 4
<!-- Deprecation of the extension -->
<div id="activate-tails-verification"></div>
<div id="extension-version">2.4</div>

5 6
<div id="tails-version">[[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]]</div>

sajolida's avatar
sajolida committed
7
<h1 class="usb upgrade dvd vm">Download Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]]</h1>
8

sajolida's avatar
sajolida committed
9
<div class="tip upgrade">
10 11 12 13 14

<p>While you are downloading, we recommend you read the
[[release notes|doc/upgrade/release_notes]] for Tails
[[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]]<span class="remove-extra-space">.</span>
They document all the changes in this new version: new features, problems that
sajolida's avatar
sajolida committed
15
were solved, and known issues that have already been identified.</p>
16 17 18 19 20

<!-- We should remove this note in favor of clickable URLs in Tails Upgrader. [[!tails_ticket 17068]] -->

</div>

sajolida's avatar
sajolida committed
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
<div id="step-download">
  <h3><span class="step-number"><span class="usb upgrade">1.</span>1</span>Download Tails</h3>
  <div class="usb upgrade download-only-img indent">
    <a href="[[!inline pages="inc/stable_amd64_img_url" raw="yes" sort="age"]]" id="download-img" class="use-mirror-pool button inline-block">Download Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_img_size" raw="yes" sort="age"]]</span>)</a>
    <a href="[[!inline pages="inc/stable_amd64_img_url" raw="yes" sort="age"]]" id="download-img-retry" class="use-mirror-pool-on-retry button inline-block">Download Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_img_size" raw="yes" sort="age"]]</span>)</a>
  </div>
  <div class="dvd vm download-only-iso indent">
    <a href="[[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]" id="download-iso" class="use-mirror-pool button inline-block">Download Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_iso_size" raw="yes" sort="age"]]</span>)</a>
    <a href="[[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]" id="download-iso-retry" class="use-mirror-pool-on-retry button inline-block">Download Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_iso_size" raw="yes" sort="age"]]</span>)</a>
  </div>
  <div id="download-minor" class="indent">
    <p id="bittorrent">
      or download using
      <a href="[[!inline pages="inc/stable_amd64_img_torrent_url" raw="yes" sort="age"]]" id="download-img-torrent" class="usb upgrade download-only-img">BitTorrent</a>
      <a href="[[!inline pages="inc/stable_amd64_iso_torrent_url" raw="yes" sort="age"]]" id="download-iso-torrent" class="dvd vm download-only-iso">BitTorrent</a>
    </p>
    <p id="try-another-mirror">If the download fails, try to
      <a href="[[!inline pages="inc/stable_amd64_img_url" raw="yes" sort="age"]]" class="usb upgrade download-only-img">download from another mirror.</a>
      <a href="[[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]" class="dvd vm download-only-iso">download from another mirror.</a>
    </p>
sajolida's avatar
sajolida committed
41
  </div>
sajolida's avatar
sajolida committed
42
</div>
sajolida's avatar
sajolida committed
43

sajolida's avatar
sajolida committed
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
<div id="step-verify">
  <h3><span class="step-number"><span class="usb upgrade">1.</span>2</span>Verify your download</h3>
  <div id="javascript-verification-tip" class="indent block">
    <p>For your security, always verify your download.</p>
    <p class="floating-toggleable-link why-verify-link">[[!toggle id="why-verify" text="Why?"]]</p>
    <div id="why-verify" class="floating-toggleable">
    [[!toggleable id="why-verify" text="""
    [[!toggle id="why-verify" text="X"]]
    <p>With an unverified download, you might:</p>
    <ul>
      <li>Lose time if your download is incomplete or broken due to an error during the download.
          This is quite frequent.</li>
      <li>Get hacked while using Tails if our download mirrors have been compromised and are serving malicious downloads.<br/>
          <a href="http://blog.linuxmint.com/?p=2994">This already happened to other operating systems.</a></li>
      <li>Get hacked while using Tails if your download is modified on the fly by an attacker on the network.<br/>
          <a href="https://en.wikipedia.org/wiki/DigiNotar">This is possible for strong adversaries.</a></li>
    </ul>
    <p>[[How does the verification work?|contribute/design/verification_extension]]</p>
    """]]
    </div>
  </div>
  <div id="bittorrent-verification-tip" class="indent block">
    <p>Your BitTorrent client will automatically verify your download when it completes.</p>
    <p>The verification below is optional for a BitTorrent download.</p>
  </div>
69 70 71 72 73 74
  <div id="extension" class="indent block tip">
    <p><strong>You have our <em>Tails Verification</em> extension installed.</strong></p>
    <p>Since December 2020, you can do the verification directly on the page.
    You don't need the <em>Tails Verification</em> anymore and can safely remove it.</p>
    <p>See our [[statement about the deprecation of the <em>Tails Verification</em> extension|news/verification_extension_deprecation]].</p>
  </div>
sajolida's avatar
sajolida committed
75 76 77 78
  <div id="verification" class="indent block">
    <div id="no-js">
      <p>You seem to have JavaScript disabled. To verify your download,
         you can either:</p>
sajolida's avatar
sajolida committed
79
      <ul>
sajolida's avatar
sajolida committed
80 81 82 83 84
        <li>Enable JavaScript.</li>
        <li>Compare manually the checksum of your download with [[the
            list of checksum of our images|install/v2/Tails/amd64/stable/latest.json]].<br/>
            See our documentation on [[calculation checksums using
            GtkHash|doc/encryption_and_privacy/checksums]].</li>
sajolida's avatar
sajolida committed
85 86
      </ul>
    </div>
sajolida's avatar
sajolida committed
87 88 89
    <div id="ie">
      <p>You seem to be using <em>Internet Explorer</em>. To verify your download,
         please use a different browser.</p>
90
    </div>
sajolida's avatar
sajolida committed
91 92 93 94 95 96 97 98 99 100
    <div id="verify-button" class="block">
      <label class="button">
        Verify Tails <span class="remove-extra-space">&nbsp;[[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]]</span>&hellip;
        <input id="verify-file" type="file"/>
      </label>
    </div>
    <div id="verifying-download" class="block">
      <p>Verifying <em><span class="verify-filename">$FILENAME</span></em>&hellip;</p>
      <div class="progress">
        <div id="progress-bar" class="progress-bar" role="progressbar" style="width: 0%" aria-valuenow="0" aria-valuemin="0" aria-valuemax="100"></div>
sajolida's avatar
sajolida committed
101
      </div>
sajolida's avatar
sajolida committed
102 103 104 105 106 107 108 109 110 111 112 113
    </div>
    <div id="verification-successful" class="block">
      <p>[[!img lib/check.png class="icon" link="no" alt=""]]Verification successful!</p>
    </div>
    <div id="verification-failed" class="block">
      <p>[[!img lib/cross.png class="icon" link="no" alt=""]]<b>Verification failed!</b></p>
      <p class="floating-toggleable-link why-failed-link">[[!toggle id="why-failed" text="Why?"]]</p>
      <div id="why-failed" class="floating-toggleable">
      [[!toggleable id="why-failed" text="""
      [[!toggle id="why-failed" text="X"]]
      <p>Most likely, the verification failed because of an error
      or interruption during the download.</p>
sajolida's avatar
sajolida committed
114

sajolida's avatar
sajolida committed
115 116
      <p>The verification also fails if you try to verify a different
      download than the latest version (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]]</span>).</p>
sajolida's avatar
sajolida committed
117

sajolida's avatar
sajolida committed
118 119 120
      <p>Less likely, the verification might have failed because
      of a malicious download from our download mirrors or due to
      a network attack in your country or local network.</p>
sajolida's avatar
sajolida committed
121

sajolida's avatar
sajolida committed
122 123
      <p>Downloading again is usually enough to fix this
      problem.</p>
124

sajolida's avatar
sajolida committed
125 126
      <p>[[How does the verification work?|contribute/design/verification_extension]]</p>
      """]]
sajolida's avatar
sajolida committed
127
      </div>
sajolida's avatar
sajolida committed
128 129
      <p class="usb upgrade download-only-img"><a href="[[!inline pages="inc/stable_amd64_img_url" raw="yes" sort="age"]]" id="download-img-again" class="use-mirror-pool-on-retry">Please try to download again&hellip;</a></p>
      <p class="dvd vm download-only-iso"><a href="[[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]" id="download-iso-again" class="use-mirror-pool-on-retry">Please try to download again&hellip;</a></p>
130
    </div>
sajolida's avatar
sajolida committed
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146
    <div id="verification-failed-again" class="block">
      <p>[[!img lib/cross.png class="icon" link="no" alt=""]]<b>Verification failed again!</b></p>
      <p class="floating-toggleable-link why-failed-again-link">[[!toggle id="why-failed-again" text="Why?"]]</p>
      <div id="why-failed-again" class="floating-toggleable">
      [[!toggleable id="why-failed-again" text="""
      [[!toggle id="why-failed-again" text="X"]]
      <p>The verification might have failed again because of:</p>
      <ul>
        <li>A software problem in our verification code</li>
        <li>A malicious download from our download mirrors</li>
        <li>A network attack in your country or local network</li>
      </ul>
      <p>Trying from a different place or a different computer might solve any of these issues.</p>
      """]]
      </div>
      <p>Please try to download again from a different place or a different computer&hellip;</p>
147
    </div>
sajolida's avatar
sajolida committed
148 149 150 151
    <div id="verification-error-json" class="block">
      <p>[[!img lib/cross.png class="icon" link="no" alt=""]]<b>Error downloading <a id="checksum-file" href="">checksum file</a> from our website.</b></p>
      <p>Make sure that your browser is connected to the Internet.</p>
      <p><a id="retry-json">Retry&hellip;</a></p>
sajolida's avatar
sajolida committed
152
    </div>
sajolida's avatar
sajolida committed
153 154 155 156
    <div id="verification-error-image" class="block">
      <p>[[!img lib/cross.png class="icon" link="no" alt=""]]<b>Error reading image <em><span class="verify-filename">$FILENAME</span></em>.</b></p>
      <p>Make sure that <em><span class="verify-filename">$FILENAME</span></em> is readable by your browser.</p>
      <p><a id="retry-image">Retry&hellip;</a></p>
sajolida's avatar
sajolida committed
157 158 159
    </div>
  </div>
</div>
sajolida's avatar
sajolida committed
160 161 162 163 164 165

<div id="step-continue">
  <h3><span class="step-number"><span class="usb upgrade">1.</span>3</span>Continue
    <span class="usb">installing</span>
    <span class="upgrade">upgrading</span>
    <span class="download-only-img download-only-iso">installing or upgrading</span></h3>
sajolida's avatar
sajolida committed
166
</div>
sajolida's avatar
sajolida committed
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

<div id="continue-link" class="indent">
  <div id="skip-download">
    <span class="windows">[[Skip download|win/usb]]</span>
    <span class="linux">[[Skip download|linux/usb]]</span>
    <span class="mac">[[Skip download|mac/usb]]</span>
    <span class="dvd">[[Skip download|dvd]]</span>
    <span class="vm">[[Skip download|doc/advanced_topics/virtualization]]</span>
    <span class="upgrade-tails">[[Skip download|upgrade/tails]]</span>
    <span class="upgrade-windows">[[Skip download|upgrade/win]]</span>
    <span class="upgrade-mac">[[Skip download|upgrade/mac]]</span>
    <span class="upgrade-linux">[[Skip download|upgrade/linux]]</span>
    <span class="download-only-img download-only-iso">[[Skip download|doc#install]]</span>
  </div>
  <div id="skip-verification">
    <p>[[!img icons/dialog-warning-small.png class="icon" link="no" alt=""]]
      <span class="windows">[[Skip verification!|win/usb]]</span>
      <span class="linux">[[Skip verification!|linux/usb]]</span>
      <span class="mac">[[Skip verification!|mac/usb]]</span>
      <span class="dvd">[[Skip verification!|dvd]]</span>
      <span class="vm">[[Skip verification!|doc/advanced_topics/virtualization]]</span>
      <span class="upgrade-tails">[[Skip verification!|upgrade/tails]]</span>
      <span class="upgrade-windows">[[Skip verification!|upgrade/win]]</span>
      <span class="upgrade-mac">[[Skip verification!|upgrade/mac]]</span>
      <span class="upgrade-linux">[[Skip verification!|upgrade/linux]]</span>
      <span class="download-only-img download-only-iso">[[Skip verification|doc#install]]</span>
    </p>
  </div>
  <div id="next" class="inline-block">
    <div class="windows">[[<div class="button">Next: Install Tails (<span class="next-counter"></span>)</div>|win/usb]]</div>
    <div class="linux">[[<div class="button">Next: Install Tails (<span class="next-counter"></span>)</div>|linux/usb]]</div>
    <div class="mac">[[<div class="button">Next: Install Tails (<span class="next-counter"></span>)</div>|mac/usb]]</div>
    <div class="upgrade-tails">[[<div class="button">Next: Install an intermediary Tails (<span class="next-counter"></span>)</div>|upgrade/tails]]</div>
    <div class="upgrade-windows">[[<div class="button">Next: Install an intermediary Tails (<span class="next-counter"></span>)</div>|upgrade/win]]</div>
    <div class="upgrade-mac">[[<div class="button">Next: Install an intermediary Tails (<span class="next-counter"></span>)</div>|upgrade/mac]]</div>
    <div class="upgrade-linux">[[<div class="button">Next: Install an intermediary Tails (<span class="next-counter"></span>)</div>|upgrade/linux]]</div>
    <div class="dvd">[[<div class="button">Next: Burning Tails on a DVD</div>|dvd]]</div>
    <div class="vm">[[<div class="button">Next: Virtualization</div>|doc/advanced_topics/virtualization]]</div>
    <div class="download-only-img">
      <p>Upgrade your Tails USB stick and keep your Persistent Storage:</p>
      <ul>
        <li>[[Upgrade from your Tails|upgrade/tails]]</li>
        <li>[[Upgrade from Windows|upgrade/win]]</li>
        <li>[[Upgrade from macOS|upgrade/mac]]</li>
        <li>[[Upgrade from Linux|upgrade/linux]]</li>
      </ul>
      <p>Install a new USB stick:</p>
      <ul>
        <li>[[Install from Windows|install/win/usb]]</li>
        <li>[[Install from macOS|install/mac/usb]]</li>
        <li>[[Install from Linux|install/linux/usb]]</li>
      </ul>
sajolida's avatar
sajolida committed
219
    </div>
sajolida's avatar
sajolida committed
220 221 222 223
    <ul class="download-only-iso">
      <li>[[Burn on a DVD|dvd]]</li>
      <li>[[Run in a virtual machine|doc/advanced_topics/virtualization]]</li>
    </ul>
sajolida's avatar
sajolida committed
224
  </div>
225
</div>
226 227 228 229 230 231

<div id="openpgp">

<h2>Verify using OpenPGP (optional)</h2>

<p>If you know OpenPGP, you can also verify your download using an
232
OpenPGP signature instead of, or in addition to, our verification in the browser or
233 234
BitTorrent.</p>

cbrownstein's avatar
cbrownstein committed
235
<p>Download the
sajolida's avatar
sajolida committed
236
<a class="usb upgrade download-only-img" href="[[!inline pages="inc/stable_amd64_img_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image</a>
cbrownstein's avatar
cbrownstein committed
237 238 239
<a class="dvd vm download-only-iso" href="[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
and save it to the same folder where
you saved the image.</p>
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260

<h3>Basic OpenPGP verification</h3>

[[!toggle id="basic-openpgp" text="See instructions for basic OpenPGP verification."]]

[[!toggleable id="basic-openpgp" text="""
<span class="hide">[[!toggle id="basic-openpgp" text=""]]</span>

<p>This section provides simplified instructions:</p>

<ul>
  <li><a href="#windows">In Windows with <span class="application">Gpg4win</span></a></li>
  <li><a href="#mac">In macOS with <span class="application">GPGTools</span></a></li>
  <li><a href="#tails">In Tails</a></li>
  <li><a href="#command-line">Using the command line</a></li>
</ul>

<a id="windows"></a>

<h3>In Windows with <span class="application">Gpg4win</span></h3>

sajolida's avatar
sajolida committed
261
<ol>
262 263
  <li>
    <p>Download the
sajolida's avatar
sajolida committed
264
    <a class="usb upgrade download-only-img" href="[[!inline pages="inc/stable_amd64_img_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image</a>
265 266 267 268 269
    <a class="dvd vm download-only-iso" href="[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
    and save it to the same folder where
    you saved the image.</p>
  </li>

sajolida's avatar
sajolida committed
270 271 272
  <li>
    <p>Download the [[Tails signing key|tails-signing.key]] and import it into
    <span class="application">Gpg4win</span>.</p>
273

sajolida's avatar
sajolida committed
274 275 276
    <p>See the [[<span class="application">Gpg4win</span> documentation on
    importing keys|https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html]].</p>
  </li>
277

sajolida's avatar
sajolida committed
278
  <li>
sajolida's avatar
sajolida committed
279 280
    <p>Verify the signature of the image that you downloaded.</p>

sajolida's avatar
sajolida committed
281 282
    <p>See the [[<span class="application">Gpg4win</span> documentation on
    verifying signatures|http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4]].</p>
283

sajolida's avatar
sajolida committed
284 285
    <p>Verify that the date of the signature is at most five days earlier than
    the latest version: [[!inline pages="inc/stable_amd64_date" raw="yes" sort="age"]].</p>
286

sajolida's avatar
sajolida committed
287
    <p>If the following warning appears:</p>
288

sajolida's avatar
sajolida committed
289 290 291 292 293
    <pre>
    Not enough information to check the signature validity.
    Signed on ... by tails@boum.org (Key ID: 0x58ACD84F
    The validity of the signature cannot be verified.
    </pre>
294

sajolida's avatar
sajolida committed
295 296 297 298 299
    <p>Then the image is still correct according to the signing key that you
    downloaded. To remove this warning you need to <a href="#wot">authenticate the
    signing key through the OpenPGP Web of Trust</a>.</p>
  </li>
</ol>
300 301 302 303 304 305

<a id="mac"></a>

<h3>In macOS using <span class="application">GPGTools</span></h3>

<ol>
306 307
  <li>
    <p>Download the
sajolida's avatar
sajolida committed
308
    <a class="usb upgrade download-only-img" href="[[!inline pages="inc/stable_amd64_img_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image</a>
309 310 311 312 313
    <a class="dvd vm download-only-iso" href="[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
    and save it to the same folder where
    you saved the image.</p>
  </li>

cbrownstein's avatar
cbrownstein committed
314 315 316 317 318 319
  <li>
   <p>Download the [[Tails signing key|tails-signing.key]] and import it into
   <span class="application">GPGTools</span>.</p>
   <p>See the [[<span class="application">GPGTools</span> documentation on
   importing keys|https://gpgtools.tenderapp.com/kb/gpg-keychain-faq/how-to-find-public-keys-of-your-friends-and-import-them#import-key-file]].</p>
  </li>
320
  <li>
321 322
   <p>Open <span class="application">Finder</span> and navigate to the
   folder where you saved the image and the signature.</p>
323 324 325
  </li>

  <li>
326
   <p>Control-click on the image and choose
327 328
   <span class="guimenuchoice">
     <span class="guisubmenu">Services</span>
329
     <span class="guimenuitem">OpenPGP: Verify Signature of File</span></span>.</p>
330 331 332 333 334 335 336
  </li>
</ol>

<a id="tails"></a>

<h3>In Tails</h3>

337 338
<p>Tails comes with the Tails signing key already imported.</p>

339
<ol>
340 341
  <li>
    <p>Download the
sajolida's avatar
sajolida committed
342
    <a class="usb upgrade download-only-img" href="[[!inline pages="inc/stable_amd64_img_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image</a>
343 344 345 346 347
    <a class="dvd vm download-only-iso" href="[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
    and save it to the same folder where
    you saved the image.</p>
  </li>

348
  <li>
349 350
   <p>Open the file browser and navigate to the folder where you saved the
   image and the signature.</p>
351 352 353
  </li>

  <li>
354 355
   <p>Right-click (on Mac, click with two fingers) on the signature and choose <span class="guimenuitem">Open With
   Verify Signature</span>.</p>
356 357 358
  </li>

  <li>
359
   <p>The verification of the image starts automatically:</p>
360 361 362 363 364

   <p>[[!img install/inc/screenshots/verifying_in_tails.png link="no"]]</p>
  </li>

  <li>
365 366
   <p>After the verification finishes, you should see a notification that the
   signature is good:</p>
367

sajolida's avatar
sajolida committed
368
   <p class="usb upgrade download-only-img">[[!img install/inc/screenshots/verifying_in_tails_img_good.png link="no"]]</p>
369
   <p class="dvd vm download-only-iso">[[!img install/inc/screenshots/verifying_in_tails_iso_good.png link="no"]]</p>
370 371 372

   <p>Verify that the date of the signature is at most five days earlier
   than the latest version: [[!inline pages="inc/stable_amd64_date" raw="yes" sort="age"]].</p>
373 374 375

   <p>If instead, you see a notification that the signature is valid but untrusted:</p>

sajolida's avatar
sajolida committed
376
   <p class="usb upgrade download-only-img">[[!img install/inc/screenshots/verifying_in_tails_img_untrusted.png link="no"]]</p>
377 378 379 380 381
   <p class="dvd vm download-only-iso">[[!img install/inc/screenshots/verifying_in_tails_iso_untrusted.png link="no"]]</p>

   <p>Then the image is still correct according to the signing key that you
   downloaded. To remove this warning you need to <a href="#wot">authenticate
   the signing key through the OpenPGP Web of Trust</a>.</p>
382 383 384 385 386 387 388
  </li>
</ol>

<a id="command-line"></a>

<h3>Using the command line</h3>

389

390
<ol>
391 392
  <li>
    <p>Download the
sajolida's avatar
sajolida committed
393
    <a class="usb upgrade download-only-img" href="[[!inline pages="inc/stable_amd64_img_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] USB image</a>
394 395 396 397
    <a class="dvd vm download-only-iso" href="[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]">OpenPGP signature for the Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
    and save it to the same folder where
    you saved the image.</p>
  </li>
398 399

  <li>
400 401 402 403 404 405 406 407 408 409 410 411
    <p>Download the [[Tails signing key|tails-signing.key]] and import it into
    <span class="application">GnuPGP</span>.</p>

    <p>To import the Tails signing key into
    <span class="application">GnuPGP</span>, open a terminal and navigate to
    the folder where you saved the Tails signing key.</p>

    <p>Execute:</p>

    <p class="pre">gpg --import tails-signing.key</p>
  </li>
  <li>
412 413
   <p>In a terminal, navigate to the folder where you saved the
   image and the signature.</p>
414 415 416 417 418
  </li>

  <li>
   <p>Execute:</p>

sajolida's avatar
sajolida committed
419
   <p class="usb upgrade download-only-img pre">[[!inline pages="inc/stable_amd64_img_gpg_verify" raw="yes" sort="age"]]</p>
420 421 422 423
   <p class="dvd vm download-only-iso pre">[[!inline pages="inc/stable_amd64_iso_gpg_verify" raw="yes" sort="age"]]</p>

   <p>The output of this command should be the following:</p>

sajolida's avatar
sajolida committed
424
   <p class="usb upgrade download-only-img pre">[[!inline pages="inc/stable_amd64_img_gpg_signature_output" raw="yes" sort="age"]]</p>
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461
   <p class="dvd vm download-only-iso pre">[[!inline pages="inc/stable_amd64_iso_gpg_signature_output" raw="yes" sort="age"]]</p>

   <p>Verify that the date of the signature is at most five days
   earlier than the latest version: [[!inline pages="inc/stable_amd64_date" raw="yes" sort="age"]].</p>

   <p>If the output also includes:</p>

   <p class="pre">
   gpg: WARNING: This key is not certified with a trusted signature!<br/>
   gpg:          There is no indication that the signature belongs to the owner.<br/>
   </p>

   <p>Then the image is still correct according to the signing key that you
   downloaded. To remove this warning you need to <a href="#wot">authenticate
   the signing key through the OpenPGP Web of Trust</a>.</p>
  </li>

</ol>

"""]]

<a id="wot"></a>

<h3>Authenticate the signing key through the OpenPGP Web of Trust</h3>

<p>Authenticating our signing key through the OpenPGP Web of Trust is
the only way that you can be protected in case our website is
compromised or if you are a victim of a [[man-in-the-middle attack|doc/about/warning#man-in-the-middle]].
However, it is complicated to do and it might not be
possible for everyone because it relies on trust relationships between
individuals.</p>

[[!toggle id="web-of-trust" text="Read more about authenticating the Tails signing key through the OpenPGP Web of Trust."]]

[[!toggleable id="web-of-trust" text="""
<span class="hide">[[!toggle id="web-of-trust" text=""]]</span>

462
<p>The verification techniques that we present (verification in the browser,
463 464 465 466
BitTorrent, or OpenPGP verification) all rely on some
information being securely downloaded using HTTPS from our website:</p>

<ul>
467
  <li>The <em>checksum</em> for the verification in the browser</li>
468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559
  <li>The <em>Torrent file</em> for BitTorrent</li>
  <li>The <em>Tails signing key</em> for OpenPGP verification</li>
</ul>

<p>It is possible that you could download malicious information if our
website is compromised or if you are a victim of a man-in-the-middle
attack.</p>

<p>OpenPGP verification is the only technique that protects you if
our website is compromised or if you are a victim of a man-in-the-middle
attack. But, for that you need to authenticate the Tails signing key
through the OpenPGP Web of Trust.</p>

<div class="note">

<p>If you are verifying an image from inside Tails, for
example, to do a manual upgrade, then you already have the Tails signing key.
You can trust this signing key as much as you already trust your
Tails installation since this signing key is included in your Tails
installation.</p>

</div>

<p>One of the inherent problems of standard HTTPS is that the trust put
in a website is defined by certificate authorities: a hierarchical and closed
set of companies and governmental institutions approved by your web browser vendor.
This model of trust has long been criticized and proved several times to be
vulnerable to attacks [[as explained on our warning page|doc/about/warning#man-in-the-middle]].</p>

<p>We believe that, instead, users should be given the final say when trusting a
website, and that designation of trust should be done on the basis of human
interactions.</p>

<p>The OpenPGP [[!wikipedia Web_of_Trust]] is a
decentralized trust model based on OpenPGP keys that can help with solving
this problem. Let's see this with an example:</p>

<ol>
  <li>
   <em>You are friends with Alice and you really trust her way of making sure
   that OpenPGP keys actually belong to their owners.</em>
  </li>

  <li>
   <em>Alice met Bob, a Tails developer, in a conference and certified
   Bob's key as actually belonging to Bob.</em>
  </li>

  <li>
    <em>Bob is a Tails developer who directly owns the Tails signing key. So,
    Bob has certified the Tails signing key as actually belonging to Tails.</em>
  </li>
</ol>

<p>In this scenario, you found, through Alice and Bob, a path to trust the Tails signing key
without the need to rely on certificate authorities.</p>

<div class="tip">

<p>If you are on Debian, Ubuntu, or Linux Mint, you can install the
<code>debian-keyring</code> package which contains the OpenPGP keys of
all Debian developers. Some Debian developers have certified the Tails
signing key and you can use these certifications to build a trust path.
This technique is explained in detail in our instructions on
[[installing Tails from Debian, Ubuntu, or Linux Mint using the command
line|install/expert/usb]].</p>

</div>

<p>Relying on the Web of Trust requires both caution and intelligent supervision
by the users. The technical details are outside of the scope of this document.</p>

<p>Since the Web of Trust is based on actual human relationships and
real-life interactions, it is best to get in touch with people
knowledgeable about OpenPGP and build trust relationships in order to
find your own trust path to the Tails signing key.</p>

<p>For example, you can start by contacting a local [[!wikipedia Linux_User_Group]],
[[an organization offering Tails training|support/learn]], or other Tails
enthusiasts near you and exchange about their OpenPGP practices.</p>

<div class="tip">

<p>After you build a trust path, you can certify the Tails signing key by
signing it with your own key to get rid of some warnings during the
verification process.</p>

</div>

"""]]

</div>