Commit f04dc73c authored by Tails developers's avatar Tails developers
Browse files

doc: Split the doc on verify the ISO to separate pages

parent 6e900e28
......@@ -26,9 +26,12 @@ as true.**
- [[First time user?|download#index1h1]]
- [[Download the ISO image|download#index2h1]]
- [[Verify the ISO image|download#index3h1]]
- [[Using Gnome: Ubuntu, Debian, Tails, Fedora, etc.|get/verify_the_iso_image_using_gnome]]
- [[Using Linux with the command line|get/verify_the_iso_image_using_the_command_line]]
- [[Using other operating systems|get/verify_the_iso_image_using_other_operating_systems]]
- [[Burn a CD or install onto a USB stick|download#index4h1]]
- [[Installing onto a USB stick, for Linux|installing_onto_a_usb_stick/linux]]
- [[Installing onto a USB stick, for Windows|installing_onto_a_usb_stick/windows]]
- [[Installing onto a USB stick, for Linux|installing_onto_a_usb_stick/linux]]
- [[Installing onto a USB stick, for Windows|installing_onto_a_usb_stick/windows]]
- [[Stay tuned|download#index5h1]]
- [[Starting Tails!|download#index6h1]]
......
[[!meta title="Verify the ISO image using Linux with Gnome"]]
<p>You need to have the <code>seahorse-plugins</code> package
installed. If you're not sure or want to install it, under Debian,
Ubuntu or Tails you can issue the following commands:</p>
<pre>
sudo apt-get update
sudo apt-get install seahorse-plugins
</pre>
<p>First, download Tails signing key:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>Your browser should propose you to open it with "Import Key". Choose
this action. It will add Tails signing key to your keyring, the
collection of OpenPGP keys you already imported:</p>
<p>[[!img download/import_key.png alt="What should Iceweasel do with
this file? Open with: Import Key (default)" link="no"]]</p>
<p>You will get notified will the following message:</p>
<p>[[!img download/key_imported.png alt="Key Imported. Imported a key
for Tails developers (signing key) &lt;tails@boum.org&gt;"
link="no"]]</p>
<p>Now, download the cryptographic signature corresponding to the ISO
image you want to verify:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>Your browser should propose you to open it with "Verify Signature".
Choose this action to start the cryptographic verification:</p>
<p>[[!img download/verify_signature.png alt="What should Iceweasel do
with this file? Open with: Verify Signature (default)" link="no"]]</p>
<p>Browse your files to select the Tails ISO image you want to verify.
Then, the verification will start. It can take several minutes:</p>
<p>[[!img download/verifying.png alt="Verifying" link="no"]]</p>
<p><strong>If the ISO image is correct</strong> you will get a
notification telling you that the signature is good:</p>
<p>[[!img download/good_signature.png alt="Goog Signature"
link="no"]]</p>
<p><strong>If the ISO image is not correct</strong> you will get a
notification telling you that the signature is bad:</p>
<p>[[!img download/bad_signature.png alt="Bad Signature: Bad or forged
signature." link="no"]]</p>
[[!meta title="Verify the ISO image using other operating systems"]]
<h3>Using Firefox</h3>
<p>This technique is not using the cryptographic signature as the others
do. We propose it because it's especially easy for Windows users.</p>
<p>Install the CheckIt extension for Firefox available <a
href="https://addons.mozilla.org/en-US/firefox/addon/checkit/">here</a>
and restart Firefox.</p>
<p>Here is the checksum (a kind of digital fingerprint) of the ISO
image. Select it with your cursor:</p>
<pre>[[!inline pages="inc/stable_i386_hash" raw="yes"]]</pre>
<p>Right-click on it and choose "Selected hash (SHA256)" from the
contextual menu:</p>
<p>[[!img download/selected_hash.png alt="Selected hash (SHA256)"
link="no"]]</p>
<p>From the dialog box that shows up, open the ISO image. Then wait for
the checksum to compute. This will take several seconds during which
your browser will be unresponsive.</p>
<p><strong>If the ISO image is correct</strong> you will get a
notification saying that the checksums match:</p>
<p>[[!img download/checksums_match.png alt="CheckIt: SHA256 checksums
match!" link="no"]]</p>
<p><strong>If the ISO image is not correct</strong> you will get a
notification telling you that the checksums do not match:</p>
<p>[[!img download/checksums_do_not_match.png alt="SHA256 checksums do
not match!" link="no"]]</p>
<h3>Using the cryptographic signature</h3>
<p>GnuPG, a common free software implementation of OpenPGP has versions
and graphical frontends for both Windows and Mac OS X. This also make it
possible to check the cryptographic signature with those operating
systems:</p>
<ul>
<li>[[Gpg4win|http://www.gpg4win.org/]], for Windows</li>
<li>[[GPGTools|http://www.gpgtools.org/]], for Mac OS X</li>
</ul>
<p>You will find on either of those websites detailed documentation on
how to install and use them.</p>
<h3>For Windows using Gpg4win</h3>
<p>After installing Gpg4win, download Tails signing key:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>[[Consult the Gpg4win documentation to import
it|http://www.gpg4win.org/doc/en/gpg4win-compendium_15.html]]</p>
<p>Then, download the cryptographic signature corresponding to the ISO
image you want to verify:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>[[Consult the Gpg4win documentation to check the
signature|http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4]]</p>
<h3>For Mac OS X using GPGTools</h3>
<p>After installing GPGTools, you should be able to follow the
instruction for Linux with the command line. To open the command line,
navigate to your Applications folder, open Utilities, and double click
on Terminal.</p>
[[!meta title="Verify the ISO image using the command line"]]
<p>You need to have GnuPG installed. GnuPG is the common OpenPGP
implementation for Linux: it is installed by default under Debian,
Ubuntu, Tails and many other distributions.</p>
<p>First, <strong>download Tails signing key</strong>:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>Open a terminal and <strong>import Tails signing key</strong> with the following
commands:</p>
<pre>
cd [the directory in which you downloaded the key]
cat tails-signing.key | gpg --import
</pre>
<p>The output should tell you that the key was imported:</p>
<pre>
gpg: key BE2CD9C1: public key "Tails developers (signing key) &lt;tails@boum.org&gt;" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
</pre>
<p><strong>If you had already imported Tails signing key in the
past</strong>, the output
should tell you that the key was not changed:</p>
<pre>
gpg: key BE2CD9C1: "Tails developers (signing key) &lt;tails@boum.org&gt;" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
</pre>
<p><strong>If you are shown the following message</strong> at the end of
the output:</p>
<pre>
gpg: no ultimately trusted keys found
</pre>
<p>Analyse the other messages as usual: this extra message doesn't
relate to the Tails signing key that you downloaded and usually means
that you didn't create an OpenPGP key for yourself yet, which of no
importance to verify the ISO image.</p>
<p>Now, <strong>download the cryptographic signature</strong> corresponding to the ISO
image you want to verify and save it in the same folder as the ISO
image:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>Then, <strong>start the cryptographic verification</strong>, it can take several
minutes:</p>
<pre>
cd [the ISO image directory]
gpg --verify tails-i386-0.9.iso.pgp tails-i386-0.9.iso
</pre>
<p><strong>If the ISO image is correct</strong> the output will tell you
that the signature is good:</p>
<pre>
gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg: using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
</pre>
<p>This might be followed by a warning saying:</p>
<pre>
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
</pre>
<p>This doesn't alter the validity of the signature according to the key
you downloaded. This warning rather has to do with the trust that you
put in Tails signing key. See, [[Trusting Tails signing
key|doc/trusting_tails_signing_key]]. To remove this warning you would
have to personnally <span class="definition">[[!wikipedia Keysigning
desc="sign"]]</span> Tails signing key with your own key.</p>
<p><strong>If the ISO image is not correct</strong> the output will tell
you that the signature is bad:</p>
<pre>
gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg: using RSA key 1202821CBE2CD9C1
gpg: BAD signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
</pre>
......@@ -142,59 +142,7 @@ share it without restriction.</strong>
<h2>Using Linux with Gnome: Ubuntu, Debian, Tails, Fedora, etc.</h2>
<p>You need to have the <code>seahorse-plugins</code> package
installed. If you're not sure or want to install it, under Debian,
Ubuntu or Tails you can issue the following commands:</p>
<pre>
sudo apt-get update
sudo apt-get install seahorse-plugins
</pre>
<p>First, download Tails signing key:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>Your browser should propose you to open it with "Import Key". Choose
this action. It will add Tails signing key to your keyring, the
collection of OpenPGP keys you already imported:</p>
<p>[[!img download/import_key.png alt="What should Iceweasel do with
this file? Open with: Import Key (default)" link="no"]]</p>
<p>You will get notified will the following message:</p>
<p>[[!img download/key_imported.png alt="Key Imported. Imported a key
for Tails developers (signing key) &lt;tails@boum.org&gt;"
link="no"]]</p>
<p>Now, download the cryptographic signature corresponding to the ISO
image you want to verify:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>Your browser should propose you to open it with "Verify Signature".
Choose this action to start the cryptographic verification:</p>
<p>[[!img download/verify_signature.png alt="What should Iceweasel do
with this file? Open with: Verify Signature (default)" link="no"]]</p>
<p>Browse your files to select the Tails ISO image you want to verify.
Then, the verification will start. It can take several minutes:</p>
<p>[[!img download/verifying.png alt="Verifying" link="no"]]</p>
<p><strong>If the ISO image is correct</strong> you will get a
notification telling you that the signature is good:</p>
<p>[[!img download/good_signature.png alt="Goog Signature"
link="no"]]</p>
<p><strong>If the ISO image is not correct</strong> you will get a
notification telling you that the signature is bad:</p>
<p>[[!img download/bad_signature.png alt="Bad Signature: Bad or forged
signature." link="no"]]</p>
[[!inline pages="doc/get/verify_the_iso_image_using_gnome" raw="yes"]]
<span class="hide">[[!toggle id="verify_the_iso_image_using_gnome" text=""]]</span>
"""]]
......@@ -204,98 +152,7 @@ sudo apt-get install seahorse-plugins
<h2>Using Linux with the command line</h2>
<p>You need to have GnuPG installed. GnuPG is the common OpenPGP
implementation for Linux: it is installed by default under Debian,
Ubuntu, Tails and many other distributions.</p>
<p>First, <strong>download Tails signing key</strong>:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>Open a terminal and <strong>import Tails signing key</strong> with the following
commands:</p>
<pre>
cd [the directory in which you downloaded the key]
cat tails-signing.key | gpg --import
</pre>
<p>The output should tell you that the key was imported:</p>
<pre>
gpg: key BE2CD9C1: public key "Tails developers (signing key) &lt;tails@boum.org&gt;" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
</pre>
<p><strong>If you had already imported Tails signing key in the
past</strong>, the output
should tell you that the key was not changed:</p>
<pre>
gpg: key BE2CD9C1: "Tails developers (signing key) &lt;tails@boum.org&gt;" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
</pre>
<p><strong>If you are shown the following message</strong> at the end of
the output:</p>
<pre>
gpg: no ultimately trusted keys found
</pre>
<p>Analyse the other messages as usual: this extra message doesn't
relate to the Tails signing key that you downloaded and usually means
that you didn't create an OpenPGP key for yourself yet, which of no
importance to verify the ISO image.</p>
<p>Now, <strong>download the cryptographic signature</strong> corresponding to the ISO
image you want to verify and save it in the same folder as the ISO
image:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>Then, <strong>start the cryptographic verification</strong>, it can take several
minutes:</p>
<pre>
cd [the ISO image directory]
gpg --verify tails-i386-0.9.iso.pgp tails-i386-0.9.iso
</pre>
<p><strong>If the ISO image is correct</strong> the output will tell you
that the signature is good:</p>
<pre>
gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg: using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
</pre>
<p>This might be followed by a warning saying:</p>
<pre>
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
</pre>
<p>This doesn't alter the validity of the signature according to the key
you downloaded. This warning rather has to do with the trust that you
put in Tails signing key. See, [[Trusting Tails signing
key|doc/trusting_tails_signing_key]]. To remove this warning you would
have to personnally <span class="definition">[[!wikipedia Keysigning
desc="sign"]]</span> Tails signing key with your own key.</p>
<p><strong>If the ISO image is not correct</strong> the output will tell
you that the signature is bad:</p>
<pre>
gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg: using RSA key 1202821CBE2CD9C1
gpg: BAD signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
</pre>
[[!inline pages="doc/get/verify_the_iso_image_using_gnome" raw="yes"]]
<span class="hide">[[!toggle id="verify_the_iso_image_using_the_command_line" text=""]]</span>
"""]]
......@@ -305,80 +162,7 @@ gpg: BAD signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
<h2>Using other operating systems</h2>
<h3>Using Firefox</h3>
<p>This technique is not using the cryptographic signature as the others
do. We propose it because it's especially easy for Windows users.</p>
<p>Install the CheckIt extension for Firefox available <a
href="https://addons.mozilla.org/en-US/firefox/addon/checkit/">here</a>
and restart Firefox.</p>
<p>Here is the checksum (a kind of digital fingerprint) of the ISO
image. Select it with your cursor:</p>
<pre>[[!inline pages="inc/stable_i386_hash" raw="yes"]]</pre>
<p>Right-click on it and choose "Selected hash (SHA256)" from the
contextual menu:</p>
<p>[[!img download/selected_hash.png alt="Selected hash (SHA256)"
link="no"]]</p>
<p>From the dialog box that shows up, open the ISO image. Then wait for
the checksum to compute. This will take several seconds during which
your browser will be unresponsive.</p>
<p><strong>If the ISO image is correct</strong> you will get a
notification saying that the checksums match:</p>
<p>[[!img download/checksums_match.png alt="CheckIt: SHA256 checksums
match!" link="no"]]</p>
<p><strong>If the ISO image is not correct</strong> you will get a
notification telling you that the checksums do not match:</p>
<p>[[!img download/checksums_do_not_match.png alt="SHA256 checksums do
not match!" link="no"]]</p>
<h3>Using the cryptographic signature</h3>
<p>GnuPG, a common free software implementation of OpenPGP has versions
and graphical frontends for both Windows and Mac OS X. This also make it
possible to check the cryptographic signature with those operating
systems:</p>
<ul>
<li>[[Gpg4win|http://www.gpg4win.org/]], for Windows</li>
<li>[[GPGTools|http://www.gpgtools.org/]], for Mac OS X</li>
</ul>
<p>You will find on either of those websites detailed documentation on
how to install and use them.</p>
<h3>For Windows using Gpg4win</h3>
<p>After installing Gpg4win, download Tails signing key:</p>
[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
<p>[[Consult the Gpg4win documentation to import
it|http://www.gpg4win.org/doc/en/gpg4win-compendium_15.html]]</p>
<p>Then, download the cryptographic signature corresponding to the ISO
image you want to verify:</p>
[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
<p>[[Consult the Gpg4win documentation to check the
signature|http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4]]</p>
<h3>For Mac OS X using GPGTools</h3>
<p>After installing GPGTools, you should be able to follow the
instruction for Linux with the command line. To open the command line,
navigate to your Applications folder, open Utilities, and double click
on Terminal.</p>
[[!inline pages="doc/get/verify_the_iso_image_using_other_operating_systems" raw="yes"]]
<span class="hide">[[!toggle id="verify_the_iso_image_using_other_operating_systems" text=""]]</span>
"""]]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment