|author||Tails developers <firstname.lastname@example.org>||2015-01-27 11:05:04 +0000|
|committer||Tails developers <email@example.com>||2015-01-27 11:05:04 +0000|
Question OpenPGP verification in the extension
It's probably better to stick to HTTPS and checksum verification in the extension, and try to automate OpenPGP verification through the Installer instead.
1 files changed, 13 insertions, 5 deletions
diff --git a/wiki/src/blueprint/download_extension.mdwn b/wiki/src/blueprint/download_extension.mdwn
index 1c9420d..622ad13 100644
@@ -78,11 +78,19 @@ Other desirable features
- Be able to use that extension to verify other ISO images, testing images,
older ISO images, etc. In that case the user would be warned about the
deprectated or experimental status of the ISO image.
- - Be able to use that extension to check the GPG signature. On top of
- verifying the checksum, this would provide TOFU authentication. Then, if the
- user downloads a genuine app and a genuine key on first use, then she will
- be protected from a later compromision of the HTTPS certificate of
+ - Do we want to use that extension to also check the GPG signature?
+ - On top of verifying the checksum, this would provide TOFU
+ authentication. Then, if the user downloads a genuine app and a
+ genuine key on first use, then she will be protected from a later
+ compromission of the HTTPS certificate of tails.boum.org.
+ - On the other hand, it might be easier and make more sense to push
+ the OpenPGP verification to Tails Installer, when run in Debian
+ for example. As we would have easier access to `gpg`, we could
+ reuse the Debian keyring, etc.