summaryrefslogtreecommitdiffstats
path: root/wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html')
-rw-r--r--wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html94
1 files changed, 94 insertions, 0 deletions
diff --git a/wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html b/wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html
new file mode 100644
index 0000000..5c4284c
--- /dev/null
+++ b/wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html
@@ -0,0 +1,94 @@
+[[!meta title="Verify the ISO image using the command line"]]
+
+<p>You need to have GnuPG installed. GnuPG is the common OpenPGP
+implementation for Linux: it is installed by default under Debian,
+Ubuntu, Tails and many other distributions.</p>
+
+<p>First, <strong>download Tails signing key</strong>:</p>
+
+[[!inline pages="lib/download_tails_signing_key" raw="yes"]]
+
+<p>Open a terminal and <strong>import Tails signing key</strong> with the following
+commands:</p>
+
+<pre>
+cd [the directory in which you downloaded the key]
+cat tails-signing.key | gpg --import
+</pre>
+
+<p>The output should tell you that the key was imported:</p>
+
+<pre>
+gpg: key BE2CD9C1: public key "Tails developers (signing key) &lt;tails@boum.org&gt;" imported
+gpg: Total number processed: 2
+gpg: imported: 2 (RSA: 2)
+</pre>
+
+<p><strong>If you had already imported Tails signing key in the
+past</strong>, the output
+should tell you that the key was not changed:</p>
+
+<pre>
+gpg: key BE2CD9C1: "Tails developers (signing key) &lt;tails@boum.org&gt;" not changed
+gpg: Total number processed: 2
+gpg: unchanged: 2
+</pre>
+
+<p><strong>If you are shown the following message</strong> at the end of
+the output:</p>
+
+<pre>
+gpg: no ultimately trusted keys found
+</pre>
+
+<p>Analyse the other messages as usual: this extra message doesn't
+relate to the Tails signing key that you downloaded and usually means
+that you didn't create an OpenPGP key for yourself yet, which of no
+importance to verify the ISO image.</p>
+
+<p>Now, <strong>download the cryptographic signature</strong> corresponding to the ISO
+image you want to verify and save it in the same folder as the ISO
+image:</p>
+
+[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]
+
+<p>Then, <strong>start the cryptographic verification</strong>, it can take several
+minutes:</p>
+
+<pre>
+cd [the ISO image directory]
+gpg --verify tails-i386-0.9.iso.pgp tails-i386-0.9.iso
+</pre>
+
+<p><strong>If the ISO image is correct</strong> the output will tell you
+that the signature is good:</p>
+
+<pre>
+gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
+gpg: using RSA key 1202821CBE2CD9C1
+gpg: Good signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
+</pre>
+
+<p>This might be followed by a warning saying:</p>
+
+<pre>
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg: There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
+</pre>
+
+<p>This doesn't alter the validity of the signature according to the key
+you downloaded. This warning rather has to do with the trust that you
+put in Tails signing key. See, [[Trusting Tails signing
+key|doc/trusting_tails_signing_key]]. To remove this warning you would
+have to personnally <span class="definition">[[!wikipedia Keysigning
+desc="sign"]]</span> Tails signing key with your own key.</p>
+
+<p><strong>If the ISO image is not correct</strong> the output will tell
+you that the signature is bad:</p>
+
+<pre>
+gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
+gpg: using RSA key 1202821CBE2CD9C1
+gpg: BAD signature from "Tails developers (signing key) &lt;tails@boum.org&gt;"
+</pre>