Merge branch 'doc/15999-integrate-usb-image-in-the-release-process' into feature/15292-usb-image

The follow-up fixes after the review of this branch were pushed but not reviewed yet. Regardless, we need this branch merged so that 3.12~rc1 can be prepared. refs: #15999

Merge branch 'doc/15999-integrate-usb-image-in-the-release-process' into feature/15292-usb-image
The follow-up fixes after the review of this branch were pushed but not reviewed yet. Regardless, we need this branch merged so that 3.12~rc1 can be prepared. refs: #15999
6a79c74a · intrigeri · 73afff29 · 57d3c93f · 6a79c74a · 6a79c74a
Commit 6a79c74a authored Jan 14, 2019 by intrigeri
--- a/bin/idf-content
+++ b/bin/idf-content
@@ -27,32 +27,30 @@ def target_file_url(channel, filename):
    }

 def idf_content(build_target, channel, product_name, version, img, iso):
-    installation_paths = [
-        {
-            'type': 'iso',
-            'target-files': [{
-                'url':    target_file_url(channel, iso),
-                'sha256': sha256_file(iso),
-                'size':   Path(iso).stat().st_size,
-            }],
-        },
-    ]
-    if img is not None:
-        installation_paths += {
-            'type': 'img',
-            'target-files': [{
-                'url':    target_file_url(channel, img),
-                'sha256': sha256_file(img),
-                'size':   Path(img).stat().st_size,
-            }],
-        }
    return to_json({
        'build_target':  build_target,
        'channel':       channel,
        'product-name':  product_name,
        'installations': [{
            'version': version,
-            'installation-paths': installation_paths,
+            'installation-paths': [
+                {
+                    'type': 'img',
+                    'target-files': [{
+                        'url':    target_file_url(channel, img),
+                        'sha256': sha256_file(img),
+                        'size':   Path(img).stat().st_size,
+                    }],
+                },
+                {
+                    'type': 'iso',
+                    'target-files': [{
+                        'url':    target_file_url(channel, iso),
+                        'sha256': sha256_file(iso),
+                        'size':   Path(iso).stat().st_size,
+                    }],
+                },
+            ],
        }],
    })

@@ -64,7 +62,7 @@ if __name__ == '__main__':
    parser.add_argument('--product-name', dest='product_name', default='Tails')
    parser.add_argument('--version', default=None, required=True,
                        help='Version of Tails .')
-    parser.add_argument('--img', default=None,
+    parser.add_argument('--img', default=None, required=True,
                        help='Path to the USB image.')
    parser.add_argument('--iso', default=None, required=True,
                        help='Path to the ISO file.')

--- a/wiki/src/contribute/build/reproducible.mdwn
+++ b/wiki/src/contribute/build/reproducible.mdwn
@@ -19,8 +19,8 @@ What are reproducible builds?

 (Quoted from <https://reproducible-builds.org>)

-Tails ISO images should be reproducible: everybody who
-builds the ISO should be able to obtain the exact same resulting ISO
+Tails ISO and USB images should be reproducible: everybody who
+builds one of them should be able to obtain the exact same resulting
 image from a given Git tag.

 Why is it important?
@@ -28,8 +28,8 @@ Why is it important?

 Reproducibility increases confidence in the value of our continuous
 quality assurance processes as well as the trust that users, and anyone
-interested can put into our released build products (such as ISO images)
-and our development and release process.
+interested can put into our released build products (such as ISO and USB
+images) and our development and release process.

 Reproducible builds help [detect
 bugs](https://reproducible-builds.org/docs/buy-in/) and ensure that
@@ -43,54 +43,57 @@ developers](https://reproducible-builds.org/docs/buy-in/), improves
 users' security, and allows developers to sleep better at night (as the
 incentive for an attacker to compromise developers' systems, or to
 compromise developers themselves, is lowered). In turn, this avoids the
-need to trust people (or software) who build the ISO we release, which
-in turn allows more people to get involved in release management work.
+need to trust people (or software) who build the ISO and USB images we
+release, which in turn allows more people to get involved in release
+management work.

-Release managers do not have to upload the ISO image anymore when they
+Release managers do not have to upload the ISO and USB images anymore when they
 do a release: they can  instead build it both on our infrastructure
 (Jenkins) and locally and compare the outputs: if they match, one can
-publish the ISO built by Jenkins. Uploading an ISO can take many hours
+publish the ISO and USB images built by Jenkins. Uploading the ISO and USB
+images can take many hours
 with some commonly found means of accessing the Internet, so removing
 the need to go through this step decreases our time to remediation for
 fixing security issues, and makes it easier for developers with poor
 access to the Internet to take care of a release.

-Build and compare a Tails ISO image
-===================================
+Build and compare Tails ISO and USB images
+==========================================

-Build a Tails ISO image
-----------------------
+Build Tails ISO and USB images
+------------------------------

 See the [[build instructions|contribute/build]].

 <a id="verify-iso"></a>
-How do I verify the ISO I have built against the official one?
--------------------------------------------------------------
+How do I verify the image I have built against the official one?
+----------------------------------------------------------------

-You can verify that the ISO image you have built is identical to the
+You can verify that the image you have built is identical to the
 official one we published either with OpenPGP or with a checksum.

 ### Verify with OpenPGP

-When you reproducibly build our ISO you should obtain a file that is
-exactly the same as the official Tails ISO image, thus, *our* signature
-should be able to verify *your* ISO for you.
+When you reproducibly build our image you should obtain a file that is
+exactly the same as the official Tails image, thus, *our* signature
+should be able to verify *your* image for you.

 [[Download and verify our OpenPGP signature|/install/download#openpgp]]
-against your own ISO image.
+against your own ISO or USB image.

 ### Verify with a checksum

-To verify that the ISO image you have built is identical as the
+To verify that the ISO or USB image you have built is identical as the
 official one:

-1. Compute the checksum of your ISO image by executing the following
-   command on it:
+1. Compute the checksum of your image by executing one of the following
+   commands on it:

        sha256sum yourimage.iso
+        sha256sum yourimage.img

-2. Compare the SHA-256 checksum of your ISO image with the one found
-   in the official [ISO description file](https://tails.boum.org/install/v2/Tails/amd64/stable/latest.json).
+2. Compare the SHA-256 checksum of your images with the ones found
+   in the official [image description file](https://tails.boum.org/install/v2/Tails/amd64/stable/latest.json).

 Build and compare a Tails upgrade (IUK)
 =======================================

--- a/wiki/src/contribute/design/incremental_upgrades.mdwn
+++ b/wiki/src/contribute/design/incremental_upgrades.mdwn
@@ -19,7 +19,7 @@ should provide an automated way of doing the upgrade.
 * **Incremental Upgrade Kit (IUK)**: a file that contains everything
  needed to upgrade from.
 * **full image**: a file that is sufficient to install and run Tails
-  (currently, that means an ISO image).
+  (currently, that means an ISO or USB image).
 * **target files**: the whole set of files included by reference into
  an upgrade; e.g. this may be an IUK or a full image.


--- a/wiki/src/contribute/release_process.mdwn
+++ b/wiki/src/contribute/release_process.mdwn
@@ -323,7 +323,7 @@ Then, gather other useful information from:
 * every custom bundled package's own Changelog (Greeter, Persistent
  Volume Assistant, etc.);
 * the diff between the previous version's `.packages` file and the one
-  from the to-be-released ISO; look for:
+  from the to-be-released images; look for:
  - security fixes
  - new upstream releases of applications mentioned in [[doc/about/features]]
  - new upstream releases of other important components such as the
@@ -362,7 +362,18 @@ matches the date of the future signature.

 	echo "${VERSION:?}"      > wiki/src/inc/stable_amd64_version.html
 	echo -n "${RELEASE_DATE:?}" > wiki/src/inc/stable_amd64_date.html
-	${EDITOR:?} wiki/src/inc/*.html
+	for type in img iso; do
+	   basename="tails-amd64-${VERSION:?}"
+	   filename="${basename:?}.${type:?}"
+	   echo "gpg --no-options --keyid-format long --verify ${filename:?}.sig ${filename:?}" \
+	        > wiki/src/inc/stable_amd64_${type:?}_gpg_verify.html && \
+	   echo "http://dl.amnesia.boum.org/tails/stable/${basename:?}/${filename:?}" \
+	        > wiki/src/inc/stable_amd64_${type:?}_url.html
+	   echo "https://tails.boum.org/torrents/files/${filename:?}.sig" \
+	        > wiki/src/inc/stable_amd64_${type:?}_sig_url.html
+	   echo "https://tails.boum.org/torrents/files/${filename:?}.torrent" \
+	        > wiki/src/inc/stable_amd64_${type:?}_torrent_url.html
+	done
 	./build-website
 	git commit wiki/src/inc/ -m "Update version and date for ${VERSION:?}."

@@ -432,10 +443,9 @@ signatures, like the defaults we set in Tails:
 Build the almost-final image
 ============================

-1. [[Build an ISO image|contribute/build]] from the release branch.
+1. [[Build ISO and USB images|contribute/build]] from the release branch.
 2. Carefully read the build logs to make sure nothing bad happened.
-3. Keep at least the resulting ISO image and the manifest of needed
-   packages until the end of this release process.
+3. Keep the resulting build artifacts until the end of this release process.
 4. Record where the manifest of needed packages is stored:

        export PACKAGES_MANIFEST=XXX ; \
@@ -501,8 +511,8 @@ Better catch this before people spend time doing manual tests.
 SquashFS file order
 -------------------

-1. Burn the almost final ISO image to a DVD.
-1. Boot this DVD **on bare metal**.
+1. Install the almost final USB image to a USB stick.
+1. Boot this USB stick **on bare metal**.
 1. Add `profile` to the kernel command-line.
 1. Login.
 1. Wait for the "Tor is ready" notification.
@@ -570,18 +580,18 @@ suite should be ready, so it is time to:


 1. <a id="reproducibility-sanity-check-iso"></a>
-   Let's sanity check that Jenkins reproduced your image.
+   Let's sanity check that Jenkins reproduced your images.

   Visit the URL printed by this command:

       echo "https://jenkins.tails.boum.org/job/build_Tails_ISO_${RELEASE_BRANCH}/"

   Find the job (probably the last one)
-   and make sure the image built by Jenkins:
+   and make sure the ISO and USB images built by Jenkins:

-   - was built from the correct Git commit
-   - has the same file size as the image you built
-   - has the same hash (in the `.shasum` file) as the image you built
+   - were built from the correct Git commit
+   - have the same file size as the images you built
+   - have the same hash (in the `.shasum` file) as the images you built

   Then:

@@ -604,6 +614,8 @@ suite should be ready, so it is time to:
                  path/to/your/tails-amd64-${VERSION:?}.iso \
                  path/to/jenkins/tails-amd64-${VERSION:?}.iso

+     Do the same for the USB image as well.
+
     Then carefully investigate the `diffoscope` report:

       - If you cannot rule out that the difference is harmful: let's take
@@ -646,7 +658,7 @@ suite should be ready, so it is time to:
        git checkout -b "${WEBSITE_RELEASE_BRANCH:?}" "${TAG:?}" && \
        git push -u origin "${WEBSITE_RELEASE_BRANCH:?}"

-   (as soon as a new commit is created on `$RELEASE_BRANCH`, its ISO
+   (as soon as a new commit is created on `$RELEASE_BRANCH`, its
   build will start failing until a new changelog entry is created,
   which we don't want to do on `$RELEASE_BRANCH` before it's merged
   into `master` at release time)
@@ -661,24 +673,28 @@ image and with a `.sig` extension), then go up to the parent
 directory, create a `.torrent` file and check the generated `.torrent`
 files metadata:

-	mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
-	cd "${ISOS:?}/tails-amd64-${VERSION:?}" && \
-	mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
-	   "${ISOS:?}/tails-amd64-${VERSION:?}/" && \
-	gpg --armor --default-key "${TAILS_SIGNATURE_KEY:?}" --detach-sign *.iso && \
-	rename 's,\.asc$,.sig,' *.asc && \
-	cd .. && \
-	mktorrent \
-	  -a 'udp://tracker.torrent.eu.org:451' \
-	  -a 'udp://tracker.coppersurfer.tk:6969'   \
-	  "tails-amd64-${VERSION:?}" && \
-	transmission-show tails-amd64-${VERSION:?}.torrent
+	for type in iso img ; do
+	   mkdir "${ISOS:?}/tails-amd64-${VERSION:?}.${type:?}" && \
+	   cd "${ISOS:?}/tails-amd64-${VERSION:?}.${type:?}" && \
+	   mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.${type:?}" . && \
+	   gpg --armor --default-key "${TAILS_SIGNATURE_KEY:?}" --detach-sign *".${type:?}" && \
+	   rename 's,\.asc$,.sig,' *.asc && \
+	   cd .. && \
+	   mktorrent \
+	      -a 'udp://tracker.torrent.eu.org:451'   \
+	      -a 'udp://tracker.coppersurfer.tk:6969' \
+	      "tails-amd64-${VERSION:?}.${type:?}" && \
+	   transmission-show tails-amd64-${VERSION:?}.${type:?}.torrent
+	done

 Lastly, let's set some variables to be used later:

-    ISO_PATH="${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso"
+    ISO_PATH="${ISOS:?}/tails-amd64-${VERSION:?}.iso/tails-amd64-${VERSION:?}.iso"
    ISO_SHA256SUM="$(sha256sum "${ISO_PATH:?}" | cut -f 1 -d ' ' | tr -d '\n')"
    ISO_SIZE_IN_BYTES="$(stat -c %s "${ISO_PATH:?}")"
+    IMG_PATH="${ISOS:?}/tails-amd64-${VERSION:?}.img/tails-amd64-${VERSION:?}.img"
+    IMG_SHA256SUM="$(sha256sum "${IMG_PATH:?}" | cut -f 1 -d ' ' | tr -d '\n')"
+    IMG_SIZE_IN_BYTES="$(stat -c %s "${IMG_PATH:?}")"

 <a id="prepare-iuk"></a>

@@ -720,8 +736,8 @@ and run the following:
          PERL5LIB=\"${PERL5LIB_CHECKOUT:?}/lib\" \
            ./bin/tails-create-iuk \
               --squashfs-diff-name \"${VERSION:?}.squashfs\"           \
-               --old-iso \"${ISOS:?}/tails-amd64-${source_version:?}/tails-amd64-${source_version:?}.iso\" \
-               --new-iso \"${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso\"          \
+               --old-iso \"${ISOS:?}/tails-amd64-${source_version:?}.iso/tails-amd64-${source_version:?}.iso\" \
+               --new-iso \"${ISOS:?}/tails-amd64-${VERSION:?}.iso/tails-amd64-${VERSION:?}.iso\"          \
               --outfile \"${ISOS:?}/Tails_amd64_${source_version:?}_to_${VERSION:?}.iuk\""
    done

@@ -872,8 +888,8 @@ Prepare upgrade-description files
        )


-Prepare the ISO description file for *Tails Verification*
---------------------------------------------------------
+Prepare the image description file for *Tails Verification*
+-----------------------------------------------------------

 If preparing a RC, skip this part.

@@ -883,19 +899,8 @@ Update the image description file (IDF) used by the browser extension:
       --version "${VERSION:?}" \
       --iso "${ISO_PATH:?}" \
       > "${RELEASE_CHECKOUT:?}"/wiki/src/install/v2/Tails/amd64/stable/latest.json && \
-    cat > "${RELEASE_CHECKOUT:?}"/wiki/src/install/v1/Tails/amd64/stable/latest.yml <<EOF
-    ---
-    build-target: amd64
-    channel: stable
-    product-name: Tails
-    version: '${VERSION:?}'
-    target-files:
-    - sha256: ${ISO_SHA256SUM}
-      size: ${ISO_SIZE_IN_BYTES:?}
-      url: http://dl.amnesia.boum.org/tails/stable/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso
-    EOF
    ( cd "${RELEASE_CHECKOUT:?}" && \
-      git add wiki/src/install/v{1,2}/Tails/amd64/stable/latest.* && \
+      git add wiki/src/install/v2/Tails/amd64/stable/latest.json && \
      git commit -m "Update IDF file for Tails Verification." )

 Done with OpenPGP signing
@@ -927,8 +932,8 @@ above).

 <a id="publish-iuk"></a>

-Publish the ISO and IUKs over HTTP
----------------------------------
+Publish the ISO, IMG, and IUKs over HTTP
+----------------------------------------

 Upload the IUKs to our rsync server:

@@ -940,17 +945,17 @@ Upload the IUKs to our rsync server:

 While waiting for the IUKs to be uploaded, you can proceed with the next steps.

-Upload the ISO signature to our rsync server:
+Upload the ISO and USB image signatures to our rsync server:

-    scp "${ISO_PATH:?}.sig" rsync.lizard:
+    scp "${ISO_PATH:?}.sig" "${IMG_PATH:?}.sig" rsync.lizard:

-Pick a build from `$RELEASE_BRANCH` that produced an ISO identical to
-the one you've built locally (`XXX` must be the job ID, i.e.
+Pick a build from `$RELEASE_BRANCH` that produced identical ISO and USB images
+to the ones you've built locally (`XXX` must be the job ID, i.e.
 an integer):

    MATCHING_JENKINS_BUILD_ID=XXX

-Copy the ISO to our rsync server, verify its signature,
+Copy the ISO and USB images to our rsync server, verify their signature,
 move them in place with proper ownership and permissions
 and update the time in `project/trace` file on our rsync server
 and on the live website (even for a release candidate):
@@ -959,16 +964,18 @@ and on the live website (even for a release candidate):
       | ssh rsync.lizard gpg --import
    ssh rsync.lizard << EOF
       wget \
-          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" && \
-       gpg --verify tails-amd64-${VERSION:?}.iso{.sig,}
+          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
+          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
+       gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
+       gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
    EOF

    ssh rsync.lizard << EOF
      sudo install -o root -g rsync_tails -m 0755 -d \
         /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
-      sudo chown root:rsync_tails tails-amd64-${VERSION:?}.iso* && \
-      sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.iso* && \
-      sudo mv tails-amd64-${VERSION:?}.iso* \
+      sudo chown root:rsync_tails tails-amd64-${VERSION:?}.{iso,img}* && \
+      sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.{iso,img}* && \
+      sudo mv tails-amd64-${VERSION:?}.{iso,img}* \
              /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?}
    EOF

@@ -1009,7 +1016,7 @@ candidate):
 ## Announce, seed and test the Torrent

 Check if there's enough space on our Bittorrent seed to import the new
-ISO:
+ISO and USB images:

    ssh bittorrent.lizard df -h /var/lib/transmission-daemon/downloads

@@ -1029,42 +1036,45 @@ Now you can announce and seed the Torrent for the release you're preparing:

    cat "${RELEASE_CHECKOUT:?}/wiki/src/tails-signing.key" \
       | ssh bittorrent.lizard gpg --import
-    scp \
-       "${ISOS:?}/tails-amd64-${VERSION:?}.torrent" \
-       "${ISO_PATH:?}.sig" \
-       bittorrent.lizard: && \
-    ssh bittorrent.lizard << EOF
-       mkdir --mode 0755 "tails-amd64-${VERSION:?}" && \
-       mv "tails-amd64-${VERSION:?}.iso.sig" \
-          "tails-amd64-${VERSION:?}/" && \
-       cd "tails-amd64-${VERSION:?}" && \
-       wget \
-          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" && \
-       gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
-       cd && \
-       chgrp -R debian-transmission "tails-amd64-${VERSION:?}" && \
-       chmod -R go+rX,g+w "tails-amd64-${VERSION:?}" && \
-       mv \
-          "tails-amd64-${VERSION:?}" \
-          /var/lib/transmission-daemon/downloads/ && \
-       transmission-remote --add tails-amd64-${VERSION:?}.torrent \
-                           --find /var/lib/transmission-daemon/downloads/
+    for type in iso img ; do
+       image_filename="tails-amd64-${VERSION:?}.${type:?}"
+       scp \
+          "${ISOS:?}/${image_filename:?}.torrent" \
+          "${ISOS:?}/${image_filename:?}/${image_filename:?}.sig" \
+          bittorrent.lizard: && \
+       ssh bittorrent.lizard << EOF
+          mkdir --mode 0755 "${image_filename:?}" && \
+          mv "${image_filename:?}.sig" \
+             "${image_filename:?}/" && \
+          cd "${image_filename:?}" && \
+          wget \
+             "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/${image_filename:?}" && \
+          gpg --verify ${image_filename:?}{.sig,} && \
+          cd && \
+          chgrp -R debian-transmission "${image_filename:?}" && \
+          chmod -R go+rX,g+w "${image_filename:?}" && \
+          mv \
+             "${image_filename:?}" \
+             /var/lib/transmission-daemon/downloads/ && \
+          transmission-remote --add ${image_filename:?}.torrent \
+                              --find /var/lib/transmission-daemon/downloads/
+    done
    EOF

-Test that you can start downloading the ISO with a BitTorrent client.
+Test that you can start downloading the ISO and USB images with a BitTorrent client.

 ISO history
 -----------

-Push the released ISO and its artifacts (`.iso.buildlog`, `.build-manifest`, and `.packages` files) to our Tails ISO history git-annex repo, so that
-our isotesters can fetch it from there for their testing. How to do so
+Push the released ISO and USB images and their artifacts (`.buildlog`, `.build-manifest`, and `.packages` files) to our Tails ISO history git-annex repo, so that
+our isotesters can fetch them from there for their testing. How to do so
 is described in the `ISO_history.mdwn` document in the RM team's Git repo.

 Testing
 =======

 1. Using `check-mirrors`, choose a fast mirror that already has the
-   tentative ISO. E.g. <https://mirrors.kernel.org/tails/> or
+   tentative ISO and USB images. E.g. <https://mirrors.kernel.org/tails/> or
   <https://mirrors.wikimedia.org/tails/> are reliable and have plenty
   of bandwidth.

@@ -1073,7 +1083,7 @@ Testing
            tails-amd64-${VERSION:?}

 1. Email <tails-testers@boum.org> to ask them to test the tentative
-   ISO, pointing them to the up-to-date mirror you've found previously.
+   ISO and USB images, pointing them to the up-to-date mirror you've found previously.
 1. Email <tails@boum.org> and potential contributors (see
   `manual_testers.mdwn` in the internal Git repository) that tests
   may start:
@@ -1109,19 +1119,26 @@ Skip this part if preparing a RC.
 Rename, copy, garbage collect and update various files:

 	cp "${ISO_PATH:?}.sig" \
+	   "${IMG_PATH:?}.sig" \
 	   "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.build-manifest" \
 	   "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.packages" \
 	   "${ISOS:?}/tails-amd64-${VERSION:?}.torrent" \
 	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/" && \
 	git rm \
-	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/tails-amd64-${PREVIOUS_VERSION:?}."{build-manifest,iso.sig,packages,torrent} && \
+	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/tails-amd64-${PREVIOUS_VERSION:?}."{build-manifest,iso.sig,img.sig,packages,torrent} && \
 	LC_NUMERIC=C ls -l -h ${ISO_PATH:?} | \
 	   cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
 	   > "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_size.html" && \
+	LC_NUMERIC=C ls -l -h ${IMG_PATH:?} | \
+	   cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
+	   > "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_size.html" && \
    gpg --check-trustdb && \
    LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
 	   sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
-	   "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_gpg_signature_output.html"
+	   "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_gpg_signature_output.html" && \
+    LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
+	   sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
+	   "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_gpg_signature_output.html"

        XXX: Adapt this section to generate:

@@ -1150,8 +1167,8 @@ Write an announcement listing the security bugs affecting the previous
 version in
 `wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn`
 in order to let the users of the old versions
-know that they have to upgrade. Date it a few days before the ISO
-image to be released was *built*. Including:
+know that they have to upgrade. Date it a few days before the
+images to be released were *built*. Including:

 - if we are not shipping Linux from Debian stable, the list of
  CVE fixed in Linux since the one shipped in the previous release of
@@ -1172,11 +1189,12 @@ If preparing a release candidate

 Skip this part if preparing a final release.

-Copy the signature and the Torrent into the website repository:
+Copy the signatures and the Torrent into the website repository:

 	cp "${ISO_PATH:?}.sig" \
+	   "${IMG_PATH:?}.sig" \
 	   "${ISOS:?}/tails-amd64-${VERSION:?}.torrent" \
-	      "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/"
+	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/"

 Write the announcement for the release in
 `${RELEASE_CHECKOUT:?}/wiki/src/news/test_${TAG:?}.mdwn`, including:
@@ -1214,7 +1232,7 @@ Go wild!
 Wait for the HTTP mirrors to catch up
 -------------------------------------

-Test downloading the ISO and IUK over HTTP.
+Test downloading the ISO, USB image, and IUK over HTTP.

 Make sure every active mirror in the pool has the new version:


--- a/wiki/src/contribute/release_process/test.mdwn
+++ b/wiki/src/contribute/release_process/test.mdwn
@@ -18,19 +18,19 @@ many safeguards against releasing crap.

 Compare the to-be-released source code with previous version's one e.g.:

-Boot the candidate ISO and find the commit it was build from with the
+Boot the candidate image and find the commit it was build from with the
 `tails-version` command.

 Then, from the source tree, see the diff:

-	git diff --find-renames <old ISO commit>..<ISO commit>
+	git diff --find-renames <old image commit>..<candidate image commit>

 e.g. `git diff --find-renames 334e1c485a3a79be9fff899d4dc9d2db89cdc9e1..cfbde80925fdd0af008f10bc90c8a91a578c58e3`

 ## Result

 Compare the list of bundled packages and versions with the one shipped last
-time. `.packages` are usually attached to the email announcing the ISO is ready.
+time. `.packages` are usually attached to the email announcing the image is ready.

 	/usr/bin/diff -u \
 	    wiki/src/torrents/files/tails-amd64-3.1.packages \
@@ -48,11 +48,12 @@ Check the output for:

 ## Image size

-Check the image size has not changed much since the last release.
+Check the images size has not changed much since the last release.

-In a directory with many Tails ISO images:
+In a directory with many Tails ISO and USB images:

-    find -iname "tails*.iso" -exec ls -lh '{}' \; | sort -rhk 5
+    find \( -iname "tails*.iso" -o -iname "tails*.img" \) \
+	     -exec ls -lh '{}' \; | sort -rhk 5

 <a id="reproducibility-final-check"></a>

@@ -60,7 +61,7 @@ In a directory with many Tails ISO images:

 This section can **not** be done by the RM.

-1. Download the ISO and all the
+1. Download the ISO and USB images plus all the
   [IUKs](https://mirrors.wikimedia.org/tails/stable/iuk/) that
   upgrade to the version you are testing.

@@ -83,7 +84,7 @@ documented on a [[dedicated page|test/automated_tests]].

 See [[test/setup]] and [[test/usage]].

-Do point `--old-iso` to the ISO of the previous stable release.
+Do point `--old-iso` to the ISO image of the previous stable release.

 ## Automated test suite migration progress

@@ -276,8 +277,8 @@ tracked by tickets prefixed with `todo/test_suite:`.
 * The goal is is to check that *Tails Verification* works in *Tor
  Browser* in the version of Tails we are testing here. *Tails
  Verification* only supports verifying the current release so for
-  example, when doing tests for the Tails 3.9 release, we use it in
-  the tentative Tails 3.9 to verify the Tails 3.8 ISO image.
+  example, when doing tests for the Tails 3.13 release, we use it in
+  the tentative Tails 3.13 to verify the Tails 3.12 ISO and USB images.

  1. Start the Tails that you are testing.

@@ -297,6 +298,8 @@ tracked by tickets prefixed with `todo/test_suite:`.

  7. The verification should be successful.

+  8. Repeat for the USB image.
+
 # Real (non-VM) hardware

 `[can't-automate]`

--- a/wiki/src/contribute/release_process/test/reproducibility.mdwn
+++ b/wiki/src/contribute/release_process/test/reproducibility.mdwn
@@ -80,7 +80,7 @@ called `SHA512SUMS.txt`.

 Set these environment variables accordingly:

-* `ISOS_CHECKOUT`: path to your Tails ISO history repo checout.
+* `ISOS_CHECKOUT`: path to your Tails ISO history repo checkout.
 <!-- * `PACKAGES_FILE="${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso.packages"` -->
 * `PUBLISHED_ARTIFACTS`: some _new_ directory where you can download
  gigabytes of data to.
@@ -99,7 +99,7 @@ Set these environment variables accordingly:

 # Build your own products

-## Build your own ISO image
+## Build your own images