Commit 7d205d6c authored by sajolida's avatar sajolida
Browse files

Only explain the WoT

- The download correlation is not practical as the file of the signing
  key changes every time we update it.
- The WoT through debian-keyring is explained in /install/debian/usb
  already.
parent c1ef5fc2
......@@ -134,53 +134,27 @@ signing key through the OpenPGP Web of Trust</a>.
<a id="wot"></a>
# Trusting Tails signing key
We will present you three techniques from the easiest to the safest. Again,
none of them is a perfect and magic solution. Feel free to explore them
according to your possibilities and technical skills.
Authenticate the signing key through the OpenPGP Web of Trust
=============================================================
Note that since all Tails releases are signed with the same key, you will not
have to verify the key every time and the trust you might progressively build in
it will be built once and for all. Still, you will have to check the ISO image
every time you download a new one!
# Correlates several downloads of Tails signing key
A simple technique to increase the trust you can put in Tails signing key would
be to download it several times, from several locations, several computers,
possibly several countries, etc.
For example you could save them every time with a different name in the same
directory on a USB stick. Then run the following command from a terminal to
check whether all the keys are identical:
cd [your download directory]
diff -qs --from-file tails-signing*.key
This command would output something like this:
Files tails-signing-desktop.key and tails-signing-laptop.key are identical
Files tails-signing-desktop.key and tails-signing-library.key are identical
Files tails-signing-desktop.key and tails-signing-seattle.key are identical
You would then need to check that every line reports identical key files.
If at least a key differs from the rest, the command would output accordingly:
Files tails-signing-desktop.key and tails-signing-laptop.key are identical
Files tails-signing-desktop.key and tails-signing-library.key are identical
Files tails-signing-desktop.key and tails-signing-seattle.key differ
You could also use this technique to compare keys downloaded by your friends or
other people you trust.
# Using the OpenPGP Web of Trust
If you want to be extra cautious and really authenticate Tails signing key in a
stronger way than what standard HTTPS offers you, you will need to use the
OpenPGP Web of Trust.
<div class="note">
<p>If you are verifying an ISO image from inside Tails already, for
example to do a manual upgrade, then the Tails signing key is already
included in Tails. You can trust it as much as you are trusting your
Tails installation already because you are not downloading it.</p>
</div>
One of the inherent problems of standard HTTPS is that the trust we usually put
on a website is defined by certificate authorities: a hierarchical and closed
set of companies and governmental institutions approved by web browser vendors.
......@@ -215,106 +189,6 @@ We also acknowledge that not everybody might be able to create good trust path
to Tails signing key since it based on a network of direct human relationships
and the knowledge of quite complex tools such as OpenPGP.
<a id="debian">
# Check Tails signing key against the Debian keyring
Following the previous scenario, when Alice met Bob, a Tails developer, she
could have made a new signature on Tails signing key with her own key to certify this
trust relationship and make it public. Tails signing key would now come along
with a signature made by Alice.
Tails signing key is actually already signed by the keys of several official
developers of Debian, the operating system on which Tails is based. Debian makes
an extensive use of OpenPGP and you can download the keys of all Debian
developers by installing the <code>debian-keyring</code> package. You can then
verify the signatures those developers made with their own key on Tails signing
key.
To download the Debian keyring you can do:
sudo apt-get install debian-keyring
To get a list of the signatures made by other people on Tails signing key you
can do:
gpg --keyid-format long --list-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
You will get something like this:
pub 4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11]
Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
uid [ unknown] Tails developers (offline long-term identity key) <tails@boum.org>
sig 3 DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
sig 1202821CBE2CD9C1 2015-01-19 Tails developers (signing key) <tails@boum.org>
sig BACE15D2A57498FF 2015-01-19 [User ID not found]
sig 9C31503C6D866396 2015-02-03 [User ID not found]
sig BB3A68018649AA06 2015-02-04 [User ID not found]
sig 091AB856069AAA1C 2015-02-05 [User ID not found]
sub 4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11]
sig DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
sub 4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11]
sig DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
The lines ending with '[User ID not found]' are signatures made by keys you
still don't have in your keyring. You could try to search for them in the Debian
keyring by their key ID: the 16 digit code between the 'sig' tag and the date.
You could for example do:
gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --list-key 9C31503C6D866396
If this signature corresponds to a key in the Debian keyring you will get
something like this:
pub 4096R/0x9C31503C6D866396 2010-09-27
Key fingerprint = 4900 707D DC5C 07F2 DECB 0283 9C31 503C 6D86 6396
uid [ unknown] Stefano Zacchiroli <zack@upsilon.cc>
uid [ unknown] Stefano Zacchiroli <zack@debian.org>
uid [ unknown] Stefano Zacchiroli <zack@cs.unibo.it>
uid [ unknown] Stefano Zacchiroli <zack@pps.jussieu.fr>
uid [ unknown] Stefano Zacchiroli <zack@pps.univ-paris-diderot.fr>
sub 4096R/0x7DFA4FED02D0E74C 2010-09-27
You can then import it in your own keyring by doing:
gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export 9C31503C6D866396 | gpg --import
Now you can try to verify the signature made by this new key on Tails signing
key by doing:
gpg --keyid-format long --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
On the output, the status of the verification is indicated by a flag directly
following the "sig" tag. A "!" indicates that the signature has been
successfully verified, a "-" denotes a bad signature and a "%" is used if an
error occurred while checking the signature (e.g. a non supported algorithm).
For example, in the following output the signature of Stefano Zacchiroli on
Tails signing key has been successfully verified:
pub 4096R/DBB802B258ACD84F 2015-01-18 [expires: 2016-01-11]
Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
uid [ unknown] Tails developers (offline long-term identity key) <tails@boum.org>
sig!3 DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
sig! 1202821CBE2CD9C1 2015-01-19 Tails developers (signing key) <tails@boum.org>
sig! 9C31503C6D866396 2015-02-03 Stefano Zacchiroli <zack@upsilon.cc>
sub 4096R/98FEC6BC752A3DB6 2015-01-18 [expires: 2016-01-11]
sig! DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
sub 4096R/3C83DCB52F699C56 2015-01-18 [expires: 2016-01-11]
sig! DBB802B258ACD84F 2015-01-18 Tails developers (offline long-term identity key) <tails@boum.org>
3 signatures not checked due to missing keys
# Get into the Web of Trust!
Since the Web of Trust is actually based on human relationships and real-life
interactions the best would be to start establishing contacts with people
knowledgeable about OpenPGP, start using it yourself and build trust
relationships in order to find your own trust path to Tails signing key.
You could start by contacting a local [[!wikipedia Linux_User_Group desc="%s"]]
or other Tails enthusiasts near you and exchange about their OpenPGP
practices.
# Further reading on OpenPGP
- [[!wikipedia GnuPG desc="Wikipedia: %s"]], a free OpenPGP software
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment