summaryrefslogtreecommitdiffstats
path: root/wiki/src/install/expert/usb.mdwn
blob: 8ef1ef38a078611cb9f796a99d20fd55dd471931 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
[[!meta title="Install from Debian, Ubuntu, or Mint using the command line and GnuPG"]]

[[!meta stylesheet="inc/stylesheets/assistant" rel="stylesheet" title=""]]
[[!meta stylesheet="inc/stylesheets/steps" rel="stylesheet" title=""]]
[[!meta stylesheet="inc/stylesheets/expert" rel="stylesheet" title=""]]

Start in Debian, Ubuntu, or Linux Mint.

[[!inline pages="install/inc/steps/debian_requirements.inline" raw="yes" sort="age"]]

<h1 id="verify-key">Verify the Tails signing key</h1>

<div class="tip">

<p>If you already certified the Tails signing key with your own key, you
can skip this step and start [[downloading and verifying the ISO
image|usb#download]].</p>

</div>

In this step, you will download and verify the *Tails signing
key* which is the OpenPGP key that is used to cryptographically sign
the Tails ISO image.

<div class="note">

<p>To follow these instructions you need to have your own OpenPGP
key.</p>

<p>To learn how to create yourself an OpenPGP key, see
<a href="https://help.riseup.net/en/security/message-security/openpgp/gpg-keys">Managing
OpenPGP Keys</a> by <em>Riseup</em>.</p>

</div>

This verification technique uses the OpenPGP Web of Trust and the
certification made by official Debian developers on the Tails signing
key. [[Learn more about the OpenPGP Web of
Trust|install/download/openpgp#wot]].

1. Import the Tails signing key in your <span class="application">GnuPG</span> keyring:

       wget https://tails.boum.org/tails-signing.key
       gpg --import < tails-signing.key

1. Install the Debian keyring. It contains the OpenPGP keys of all Debian developers:

       sudo apt install debian-keyring

1. Import the OpenPGP key of [[!wikipedia Stefano_Zacchiroli]], a former
   Debian Project Leader, from the Debian keyring into your keyring:

       gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export zack@upsilon.cc | gpg --import

1. Verify the certifications made on the Tails signing key:

       gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F

   In the output of this command, look for the following line:

       sig! 0x9C31503C6D866396 2015-02-03  Stefano Zacchiroli <zack@upsilon.cc>

   Here, <code>sig!</code>, with an exclamation mark, means that Stefano
   Zacchiroli verified and certified the Tails signing key with his key.

   It is also possible to verify the certifications made by other
   people. Their name and email address appear in the list of
   certification if you have their key in your keyring.

   <div class="caution">
   <p>If the verification of the certification failed, then you might
   have downloaded a malicious version of the Tails signing key or our
   instructions might be outdated.
   Please [[get in touch with us|support/talk]].</p>
   </div>

   <div class="tip">
   <p>The line `175 signatures not checked due to missing keys` or similar
   refers to the certifications (also called *signatures*) made by other public
   keys that are not in your keyring. This is not a problem.</p>
   </div>

1. Certify the Tails signing key with your own key:

   a. To make a non-exportable certification that will never be shared
      with others:

          gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F

   b. To make an exportable certification of the Tails signing
      key and publish it on the public key servers:

          gpg --sign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F
          gpg --send-keys A490D0F4D311A4153E2BB7CADBB802B258ACD84F

      Doing so allows people who verified
      your key to verify your certification and, as a consequence, build
      more trust in the Tails signing key.

<a id="download"></a>

<h1 id="download-verify">Download and verify the ISO image</h1>

In this step, you will download the latest Tails ISO image and verify it
using the Tails signing key.

1. Download the ISO image:

   <p class="pre">wget --continue [[!inline pages="inc/stable_amd64_iso_url" raw="yes" sort="age"]]</p>

1. Download the signature of the ISO image:

   <p class="pre">wget [[!inline pages="inc/stable_amd64_iso_sig_url" raw="yes" sort="age"]]</p>

1. Verify that the ISO image is signed by the Tails signing key:

   <p class="pre">[[!inline pages="inc/stable_amd64_gpg_verify" raw="yes" sort="age"]]</p>

   The output of this command should be the following:

   <p class="pre">[[!inline pages="inc/stable_amd64_gpg_signature_output" raw="yes" sort="age"]]</p>

   Verify in this output that:

     - The date of the signature is the same.
     - The signature is marked as <code>Good signature</code> since you
       certified the Tails signing key with your own key.

Install <span class="application">Tails Installer</span>
========================================================

In this step, you will install <span class="application">Tails
Installer</span>, a program designed specifically for installing Tails.

1. If you are running:

   a. Debian, execute the following command to add the
   backports repository to your system:

         BACKPORTS='deb http://http.debian.net/debian/ jessie-backports main'
         echo $BACKPORTS | sudo tee /etc/apt/sources.list.d/jessie-backports.list && echo "OK"

   b. Ubuntu or Linux Mint, execute the following commands to add the
   *universe* repository and our PPA to your system:

         sudo add-apt-repository universe
         sudo add-apt-repository ppa:tails-team/tails-installer

1. Update your lists of packages:

       sudo apt update

1. Install the <span class="code">tails-installer</span> package:

       sudo apt install tails-installer

[[!inline pages="install/inc/steps/install_final_in_debian.inline" raw="yes" sort="age"]]

[[!inline pages="install/inc/steps/restart_first_time.inline" raw="yes" sort="age"]]

[[!inline pages="install/inc/steps/create_persistence.inline" raw="yes" sort="age"]]