Fix differences in OpenPGP verification outputs
GnuPG verification of Tails download output differs from that quoted here: https://tails.boum.org/install/expert/usb/index.en.html#download-verify
With GnuPG version: 1.4.20 on Ubuntu 16.04 the command: `gpg —keyid-format 0xlong —verify tails-amd64-3.1.iso.sig tails-amd64-3.1.iso` outputs:
gpg: Signature made Wed 09 Aug 2017 01:06:36 IST gpg: using RSA key 0xAF292B44A0EDAA41 gpg: Good signature from "Tails developers (offline long-term identity key) <firstname.lastname@example.org>" gpg: aka "Tails developers <email@example.com>"
The instructions on the Tails site state that the output of this command should be the following:
gpg: Signature made Wed Aug 9 02:06:36 2017 CEST gpg: using RSA key 79192EE220449071F589AC00AF292B44A0EDAA41 gpg: Good signature from "Tails developers (offline long-term identity key) <firstname.lastname@example.org>" [full] gpg: aka "Tails developers <email@example.com>" [full] Primary key fingerprint: A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F Subkey fingerprint: 7919 2EE2 2044 9071 F589 AC00 AF29 2B44 A0ED AA41
The instructions specifically ask the user to verify that the date of the signature is the same.
There are three differences between actual and expected output:
- RSA Key
- Key fingerprint
Running the command `gpg —keyid-format 0xlong —with-fingerprint —verify tails-amd64-3.1.iso.sig tails-amd64-3.1.iso` provides the fingerprints as shown on the Tails site…so maybe the provided command should be amended.
Regarding timezone, the documentation should possibly state something like: “The date of the signature should be the same, but will be displayed in your local timezone.”
I don’t understand why the “using RSA key…” differs. There is obviously a relationship between the quoted value and the actual output - both contain “AF292B44A0EDAA41”. I have tried different combinations of `—keyid-format` options, but can’t get a match
Feature Branch: web/14977-improve-openpgp-instructions