openpgp.mdwn 8.15 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[[!meta title="Download and verify using OpenPGP"]]

These instructions are for people who are already familiar with basic
usage of OpenPGP and have *GPG* installed but might need guidance on
performing the verification.

1. Download the latest [Tails ISO image](https://tails.boum.org/torrents/files/latest.iso)
   (<span class="remove-extra-space">[[!inline pages="inc/stable_i386_iso_size" raw="yes"]]</span>).

1. Download the [OpenPGP signature](https://tails.boum.org/torrents/files/latest.iso.sig)
   of the latest Tails ISO image and save it to the same folder where
   you saved the ISO image.

1. If you are doing the verification for the first time, download the
   [[Tails signing key|tails-signing.key]] and import it in your keyring.
   If you are working from Tails, the signing key is already included.

   All our ISO images are signed with the same signing key, so you only
   have to import it once. Still, you have to verify the ISO image every
   time you download a new one.
21

sajolida's avatar
sajolida committed
22
23
24
25
26
27
28
29
30
   <div class="tip">
   <p>This download of the Tails signing key is protected using HTTPS.
   But you could still download a malicious signing key if our website is
   compromised or if you are victim of a [[man-in-the-middle
   attack|doc/about/warning#man-in-the-middle]].</p>

   <p>For additional verification, you can <a href="#wot">authenticate
   the signing key through the OpenPGP Web of Trust</a>.</p>
   </div>
31

sajolida's avatar
sajolida committed
32
33
[[!inline pages="doc/get/signing_key_transition.inline" raw="yes"]]

sajolida's avatar
sajolida committed
34
35
36
37
38
39
40
41
42
43
Verify the ISO image
====================

This section provides simplified instructions:

  - <a href="#windows">In Windows with <span class="application">Gpg4win</span></a>
  - <a href="#mac">In Mac OS X with <span class="application">GPGTools</span></a>
  - <a href="#tails">In Tails</a>
  - <a href="#command-line">Using the command line</span></a>

44
45
46
47
48
49
50
51
52
<div class="caution">

<p>As explained above in step 3, this simple OpenPGP verification
provides a level of verification equivalent to HTTPS, like the [[Firefox
extension or BitTorrent|install/download]], unless you also
<a href="#wot">authenticate the signing key through the OpenPGP Web of Trust</a>.</p>

</div>

53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<a id="windows"></a>

### In Windows with <span class="application">Gpg4win</span>

See the [[<span class="application">Gpg4win</span> documentation on
verifying signatures|http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4]].

Verify the date of the signature to make sure that you downloaded the latest version.

If the following warning appears:

<pre>
Not enough information to check the signature validity.
Signed on ... by tails@boum.org (Key ID: 0x58ACD84F
The validity of the signature cannot be verified.
</pre>

Then the ISO image is still correct according to the signing key that you
downloaded. To remove this warning you need to <a href="#wot">authenticate the
signing key through the OpenPGP Web of Trust</a>.

<a id="mac"></a>

### In Mac OS X using <span class="application">GPGTools</span>

1. Open <span class="application">Finder</span> and navigate to the
   folder where you saved the ISO image and the signature.

1. Right-click on the ISO image and choose
   <span class="guimenuchoice">
     <span class="guisubmenu">Services</span> ▸
     <span class="guimenuitem">OpenPGP: Verify Signature of File</span></span>.

sajolida's avatar
sajolida committed
86
87
<a id="tails"></a>

sajolida's avatar
sajolida committed
88
### In Tails
89

90
91
1. Open the file browser and navigate to the folder where you saved the
   ISO image and the signature.
92

93
94
1. Right-click on the signature and choose <span class="guimenuitem">Open With
   Verify Signature</span>.
95

96
1. The verification of the ISO image starts automatically:
97

98
99
100
101
102
103
104
105
106
   [[!img install/inc/screenshots/verifying_in_tails.png link="no"]]

1. After the verification finishes, click on the notification counter in
   the bottom-right corner and on the notification with a transparent
   background on the right of the notification area:

   [[!img install/inc/screenshots/notification_in_tails.png link="no"]]

   Verify the date of the signature to make sure that you downloaded the latest version.
107

sajolida's avatar
sajolida committed
108
109
<a id="command-line"></a>

sajolida's avatar
sajolida committed
110
### Using Linux with the command line
111

112
113
1. Open a terminal and navigate to the folder where you saved the ISO
   image and the signature.
114

115
1. Execute:
116

117
   <p class="pre">[[!inline pages="inc/stable_i386_gpg_verify" raw="yes"]]</p>
118

119
   The output of this command should be the following:
120

121
   <p class="pre">[[!inline pages="inc/stable_i386_gpg_signature_output" raw="yes"]]</p>
122

123
   Verify the date of the signature to make sure that you downloaded the latest version.
124

125
   If the output also includes:
126

127
128
129
   <pre>
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.</pre>
130

131
132
133
   Then the ISO image is still correct according to the signing key that you
   downloaded. To remove this warning you need to <a href="#wot">authenticate
   the signing key through the OpenPGP Web of Trust</a>.
134

sajolida's avatar
sajolida committed
135
136
<a id="wot"></a>

sajolida's avatar
sajolida committed
137
138
Authenticate the signing key through the OpenPGP Web of Trust
=============================================================
139

sajolida's avatar
sajolida committed
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
The verification techniques presented until now ([[Firefox extension,
BitTorrent|download/install]], or OpenPGP verification) all rely on some
information being securely downloaded using HTTPS from our website:

  - The *checksum* for the Firefox extension
  - The *Torrent file* for BitTorrent
  - The *Tails signing key* for the OpenPGP verification

But, while doing so, you could download malicious information if our
website is compromised or if you are victim of a [[man-in-the-middle
attack|doc/about/warning#man-in-the-middle]].

The OpenPGP verification allows you to verify the ISO image even better
by also authenticating the Tails signing key through the OpenPGP Web of
Trust, without having to trust your download.
155

sajolida's avatar
sajolida committed
156
157
158
159
160
161
162
163
164
<div class="note">

<p>If you are verifying an ISO image from inside Tails already, for
example to do a manual upgrade, then the Tails signing key is already
included in Tails. You can trust it as much as you are trusting your
Tails installation already because you are not downloading it.</p>

</div>

165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
One of the inherent problems of standard HTTPS is that the trust we usually put
on a website is defined by certificate authorities: a hierarchical and closed
set of companies and governmental institutions approved by web browser vendors.
This model of trust has long been criticized and proved several times to be
vulnerable to attacks [[as explained on our warning
page|about/warning#man-in-the-middle]].

We believe instead that users should be given the final say when trusting a
website, and that designation of trust should be done on the basis of human
interaction.

The OpenPGP [[!wikipedia Web_of_Trust desc="Web of Trust"]] is a decentralized
trust model based on OpenPGP keys. Let's see that with an example.

*You're a friend of Alice and really trust her way of managing OpenPGP keys.
You're trusting Alice's key.*

*Furthermore, Alice met Bob, a Tails developer, in a conference, and signed
Bob's key. Alice is trusting Bob's key.*

*Bob is a Tails developer who directly owns the Tails signing key. Bob fully
trusts Tails signing key.*

This scenario creates a trust path from you to Tails signing key that could
allow you to trust it without having to depend on certificate authorities.

This trust model is not perfect either and requires both caution and intelligent
supervision by users. The technical details of creating, managing and trusting
OpenPGP keys is outside of the scope of this document.

We also acknowledge that not everybody might be able to create good trust path
to Tails signing key since it based on a network of direct human relationships
and the knowledge of quite complex tools such as OpenPGP.

# Further reading on OpenPGP

- [[!wikipedia GnuPG desc="Wikipedia: %s"]], a free OpenPGP software
- [[Apache: How To OpenPGP|http://www.apache.org/dev/openpgp.html]]
- [[Debian: Keysigning|http://www.debian.org/events/keysigning]], a
  tutorial on signing keys of other people
- [[rubin.ch: Explanation of the web of trust of PGP|http://www.rubin.ch/pgp/weboftrust.en.html]]
- [[Gpg4win: Certificate
  inspection|http://www.gpg4win.org/doc/en/gpg4win-compendium_16.html]],
  instructions to manage key trust with Gpg4win
- <!-- l10n placeholder for language-specific link -->