summaryrefslogtreecommitdiffstats
path: root/wiki/src/install/download/openpgp.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/install/download/openpgp.mdwn')
-rw-r--r--wiki/src/install/download/openpgp.mdwn236
1 files changed, 0 insertions, 236 deletions
diff --git a/wiki/src/install/download/openpgp.mdwn b/wiki/src/install/download/openpgp.mdwn
deleted file mode 100644
index e327e61..0000000
--- a/wiki/src/install/download/openpgp.mdwn
+++ /dev/null
@@ -1,236 +0,0 @@
-[[!meta title="Download and verify using OpenPGP"]]
-
-These instructions are for people who are already familiar with basic
-usage of OpenPGP and have *GPG* installed but might need guidance on
-performing the verification.
-
-If you are not familiar with OpenPGP, download using either [[our
-Firefox extension or BitTorrent|install/download]] instead.
-
-1. Download the <a href='[[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]' class="use-mirror-pool">
- Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] ISO image</a>
- (<span class="remove-extra-space">[[!inline pages="inc/stable_amd64_iso_size" raw="yes" sort="age"]]</span>).
-
-1. Download the <a href='[[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]'>
- Tails [[!inline pages="inc/stable_amd64_version" raw="yes" sort="age"]] OpenPGP signature</a>
- and save it to the same folder where
- you saved the ISO image.
-
-1. If you are doing the verification for the first time, download the
- [[Tails signing key|tails-signing.key]] and import it in your keyring.
- If you are working from Tails, the signing key is already included.
-
- All our ISO images are signed with the same signing key, so you only
- have to import it once. Still, you have to verify the ISO image every
- time you download a new one.
-
- <div class="tip">
- <p>This download of the Tails signing key is protected using HTTPS.
- But you could still download a malicious signing key if our website is
- compromised or if you are victim of a [[man-in-the-middle
- attack|doc/about/warning#man-in-the-middle]].</p>
-
- <p>For additional verification, you can <a href="#wot">authenticate
- the signing key through the OpenPGP Web of Trust</a>.</p>
- </div>
-
-Verify the ISO image
-====================
-
-This section provides simplified instructions:
-
- - <a href="#windows">In Windows with <span class="application">Gpg4win</span></a>
- - <a href="#mac">In macOS with <span class="application">GPGTools</span></a>
- - <a href="#tails">In Tails</a>
- - <a href="#command-line">Using the command line</span></a>
-
-<div class="caution">
-
-<p>As explained above in step 3, this simple OpenPGP verification
-provides a level of verification equivalent to HTTPS, like the [[Firefox
-extension or BitTorrent|install/download]], unless you also
-<a href="#wot">authenticate the signing key through the OpenPGP Web of Trust</a>.</p>
-
-</div>
-
-<a id="windows"></a>
-
-### In Windows with <span class="application">Gpg4win</span>
-
-See the [[<span class="application">Gpg4win</span> documentation on
-verifying signatures|http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4]].
-
-Verify the date of the signature to make sure that you downloaded the latest version.
-
-If the following warning appears:
-
-<pre>
-Not enough information to check the signature validity.
-Signed on ... by tails@boum.org (Key ID: 0x58ACD84F
-The validity of the signature cannot be verified.
-</pre>
-
-Then the ISO image is still correct according to the signing key that you
-downloaded. To remove this warning you need to <a href="#wot">authenticate the
-signing key through the OpenPGP Web of Trust</a>.
-
-<a id="mac"></a>
-
-### In macOS using <span class="application">GPGTools</span>
-
-1. Open <span class="application">Finder</span> and navigate to the
- folder where you saved the ISO image and the signature.
-
-1. Right-click on the ISO image and choose
- <span class="guimenuchoice">
- <span class="guisubmenu">Services</span> ▸
- <span class="guimenuitem">OpenPGP: Verify Signature of File</span></span>.
-
-<a id="tails"></a>
-
-### In Tails
-
-1. Open the file browser and navigate to the folder where you saved the
- ISO image and the signature.
-
-1. Right-click on the signature and choose <span class="guimenuitem">Open With
- Verify Signature</span>.
-
-1. The verification of the ISO image starts automatically:
-
- [[!img install/inc/screenshots/verifying_in_tails.png link="no"]]
-
-1. After the verification finishes, click on the notification counter in
- the bottom-right corner and on the notification with a transparent
- background on the right of the notification area:
-
- [[!img install/inc/screenshots/notification_in_tails.png link="no"]]
-
- Verify the date of the signature to make sure that you downloaded the latest version.
-
-<a id="command-line"></a>
-
-### Using the command line
-
-1. Open a terminal and navigate to the folder where you saved the ISO
- image and the signature.
-
-1. Execute:
-
- <p class="pre">[[!inline pages="inc/stable_amd64_gpg_verify" raw="yes" sort="age"]]</p>
-
- The output of this command should be the following:
-
- <p class="pre">[[!inline pages="inc/stable_amd64_gpg_signature_output" raw="yes" sort="age"]]</p>
-
- Verify the date of the signature to make sure that you downloaded the latest version.
-
- If the output also includes:
-
- <pre>
- gpg: WARNING: This key is not certified with a trusted signature!
- gpg: There is no indication that the signature belongs to the owner.</pre>
-
- Then the ISO image is still correct according to the signing key that you
- downloaded. To remove this warning you need to <a href="#wot">authenticate
- the signing key through the OpenPGP Web of Trust</a>.
-
-<a id="wot"></a>
-
-Authenticate the signing key through the OpenPGP Web of Trust
-=============================================================
-
-The verification techniques presented until now ([[Firefox extension,
-BitTorrent|install/download]], or OpenPGP verification) all rely on some
-information being securely downloaded using HTTPS from our website:
-
- - The *checksum* for the Firefox extension
- - The *Torrent file* for BitTorrent
- - The *Tails signing key* for the OpenPGP verification
-
-But, while doing so, you could download malicious information if our
-website is compromised or if you are victim of a [[man-in-the-middle
-attack|doc/about/warning#man-in-the-middle]].
-
-The OpenPGP verification is the only technique that allows you to verify the ISO image even better
-by also authenticating the Tails signing key through the OpenPGP Web of
-Trust. Relying on the OpenPGP Web of Trust is the only way to completely
-protect you from malicious downloads.
-
-<div class="note">
-
-<p>If you are verifying an ISO image from inside Tails already, for
-example to do a manual upgrade, then the Tails signing key is already
-included in Tails. You can trust this signing key as much as you are trusting your
-Tails installation already because you are not downloading it.</p>
-
-</div>
-
-One of the inherent problems of standard HTTPS is that the trust we usually put
-in a website is defined by certificate authorities: a hierarchical and closed
-set of companies and governmental institutions approved by your web browser vendor.
-This model of trust has long been criticized and proved several times to be
-vulnerable to attacks [[as explained on our warning page|doc/about/warning#man-in-the-middle]].
-
-We believe that, instead, users should be given the final say when trusting a
-website, and that designation of trust should be done on the basis of human
-interactions.
-
-The OpenPGP [[!wikipedia Web_of_Trust]] is a
-decentralized trust model based on OpenPGP keys that can help solving
-this problem. Let's see this with an example:
-
-1. *You are friend with Alice and really trust her way of managing
- OpenPGP keys. So you are trusting Alice's key.*
-
-1. *Furthermore, Alice met Bob, a Tails developer, in a conference and certified
- Bob's key. So Alice is trusting Bob's key.*
-
-1. *Bob is a Tails developer who directly owns the Tails signing key. So
- Bob fully trusts the Tails signing key.*
-
-In this scenario, Alice found a path to trust the Tails signing key
-without the need to rely on certificate authorities.
-
-<div class="tip">
-
-<p>If you are on Debian, Ubuntu, or Linux Mint, you can install the
-<code>debian-keyring</code> package which contains the OpenPGP keys of
-all Debian developers. Some Debian developers have certified the Tails
-signing key and you can use these certifications to build a trust path.
-This technique is explained in detail in our instructions on
-[[installing Tails from Debian, Ubuntu, or Linux Mint using the command
-line|install/expert/usb]].</p>
-
-</div>
-
-Relying on the Web of Trust requires both caution and intelligent supervision
-by the users. The technical details are outside of the scope of this document.
-
-Since the Web of Trust is actually based on human relationships and
-real-life interactions, the best is to get in touch with people
-knowledgeable about OpenPGP and build trust relationships in order to
-find your own trust path to the Tails signing key.
-
-For example, you can start by contacting a local [[!wikipedia Linux_User_Group]],
-[[an organization offering Tails training|support/learn]], or other Tails
-enthusiasts near you and exchange about their OpenPGP practices.
-
-<div class="tip">
-
-<p>After you built a trust path, you can certify the Tails signing key by
-signing it with your own key to get rid of some warnings during the
-verification process.</p>
-
-</div>
-
-# Further reading on OpenPGP
-
-- [[!wikipedia GnuPG desc="Wikipedia: %s"]], a free OpenPGP software
-- [[Apache: How To OpenPGP|http://www.apache.org/dev/openpgp.html]]
-- [[Debian: Keysigning|http://www.debian.org/events/keysigning]], a
- tutorial on signing keys of other people
-- [[rubin.ch: Explanation of the web of trust of PGP|http://www.rubin.ch/pgp/weboftrust.en.html]]
-- [[Gpg4win: Certificate
- inspection|http://www.gpg4win.org/doc/en/gpg4win-compendium_16.html]],
- instructions to manage key trust with Gpg4win