Trusting Tails Installer in Ubuntu
Originally created by @Anonymous on #11859 (Redmine)
A very valid concern has been raised by a user on tails-support (see below for a quote).
I think we need to document somewhere that I’m actually the one who signs the tails-installer package on the Ubuntu PPA. Not sure if this should be done only on the installation pages concerning Ubuntu or also on the openPGP keys page of the website.
I just tried to download and install the latest version of
Tails, and I've noticed I'm now supposed to install the
Tails Installer program from a PPA to do the installation.
I've always liked that you take great care to show users
how to verify the downloaded iso file, but there doesn't
seem to be anything similar for the Installer package. The
PGP key of the PPA is not listed at
https://tails.boum.org/doc/about/openpgp_keys/index.en.html and it doesn't have
any signatures either, so if I'm not mistaken there is no
way for me to make sure the PPA and its software is
actually from the Tails people. The way I understand it
verifying this PPA is just as crucial as verifying the
downloaded iso file.