Download and verify using OpenPGP

English

de

fa

fr

it

pt

Install Tails 2.6 2016-09-20

About

Getting started

Documentation

Help & Support

Contribute

News

Donate

These instructions are for people who are already familiar with basic usage of OpenPGP
and have GPG installed but might need guidance on performing the verification.

1. Download the Tails 2.6 ISO image ( 1.1 GiB ).

2. Download the Tails 2.6 OpenPGP signature of the latest Tails ISO image and
save it to the same folder where you saved the ISO image.

3. If you are doing the verification for the first time, download the Tails signing
key and import it in your keyring. If you are working from Tails, the signing key
is already included.

All our ISO images are signed with the same signing key, so you only have to
import it once. Still, you have to verify the ISO image every time you download
a new one.
 This download of the Tails signing key is protected using HTTPS. But you could
still download a malicious signing key if our website is compromised or if you
are victim of a man-in-the-middle attack.

For additional verification, you can authenticate the signing key through the
OpenPGP Web of Trust.

Tails transitioned to a new signing key in March 2015. If you had the previous signing
key, make sure to import and verify the new signing key.

Verify the ISO image

This section provides simplified instructions:

In Windows with Gpg4win

In Mac OS X with GPGTools

In Tails

Using the command line

As explained above in step 3, this simple OpenPGP verification provides a level of

verification equivalent to HTTPS, like the Firefox extension or BitTorrent, unless you
also authenticate the signing key through the OpenPGP Web of Trust.

In Windows with Gpg4win

See the Gpg4win documentation on verifying signatures.

Verify the date of the signature to make sure that you downloaded the latest version.

If the following warning appears:

Not enough information to check the signature validity.

Signed on ... by [email protected] (Key ID: 0x58ACD84F
The validity of the signature cannot be verified.

Then the ISO image is still correct according to the signing key that you downloaded.
To remove this warning you need to authenticate the signing key through the OpenPGP
Web of Trust.

In Mac OS X using GPGTools

1. Open Finder and navigate to the folder where you saved the ISO image and the
signature.

2. Right-click on the ISO image and choose Services OpenPGP: Verify Signature
of File.
In Tails

1. Open the file browser and navigate to the folder where you saved the ISO image
and the signature.

2. Right-click on the signature and choose Open With Verify Signature.

3. The verification of the ISO image starts automatically:

4. After the verification finishes, click on the notification counter in the bottom-
right corner and on the notification with a transparent background on the right of
the notification area:

Verify the date of the signature to make sure that you downloaded the latest
version.

Using the command line

1. Open a terminal and navigate to the folder where you saved the ISO image and
the signature.

2. Execute:

gpg --keyid-format 0xlong --verify tails-i386-2.6.iso.sig tails-i386-2.6.iso

The output of this command should be the following:

 gpg: Signature made 2016-09-20T17:24:50 CEST
gpg: using RSA key 0x98FEC6BC752A3DB6
gpg: Good signature from "Tails developers (offline long-term identity key) <tail
[email protected]>" [full]
gpg: aka "Tails developers <[email protected]>" [unknown]
Primary key fingerprint: A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58A
C D84F
Subkey fingerprint: BA2C 222F 44AC 00ED 9899 3893 98FE C6BC 752A
3DB6

Verify the date of the signature to make sure that you downloaded the latest
version.

If the output also includes:

gpg: WARNING: This key is not certified with a trusted

signature!
gpg: There is no indication that the signature belongs
to the owner.

Then the ISO image is still correct according to the signing key that you
downloaded. To remove this warning you need to authenticate the signing key
through the OpenPGP Web of Trust.

Authenticate the signing key through the

OpenPGP Web of Trust
The verification techniques presented until now (Firefox extension, BitTorrent, or
OpenPGP verification) all rely on some information being securely downloaded using
HTTPS from our website:

The checksum for the Firefox extension

The Torrent file for BitTorrent

The Tails signing key for the OpenPGP verification

But, while doing so, you could download malicious information if our website is
compromised or if you are victim of a man-in-the-middle attack.

The OpenPGP verification is the only technique that allows you to verify the ISO image
even better by also authenticating the Tails signing key through the OpenPGP Web of
Trust. Relying on the OpenPGP Web of Trust is the only way to completely protect you
from malicious downloads.

If you are verifying an ISO image from inside Tails already, for example to do a manual
upgrade, then the Tails signing key is already included in Tails. You can trust this
signing key as much as you are trusting your Tails installation already because you are
not downloading it.

One of the inherent problems of standard HTTPS is that the trust we usually put in a
website is defined by certificate authorities: a hierarchical and closed set of companies
and governmental institutions approved by your web browser vendor. This model of
trust has long been criticized and proved several times to be vulnerable to attacks as
explained on our warning page.

We believe that, instead, users should be given the final say when trusting a website,
and that designation of trust should be done on the basis of human interactions.

The OpenPGP Web of Trust is a decentralized trust model based on OpenPGP keys that
can help solving this problem. Let's see this with an example:

1. You are friend with Alice and really trust her way of managing OpenPGP keys.
So you are trusting Alice's key.

2. Furthermore, Alice met Bob, a Tails developer, in a conference and certified

Bob's key. So Alice is trusting Bob's key.

3. Bob is a Tails developer who directly owns the Tails signing key. So Bob fully
trusts the Tails signing key.

In this scenario, Alice found a path to trust the Tails signing key without the need to rely
on certificate authorities.

If you are on Debian, Ubuntu, or Linux Mint, you can install the debian-keyring
package which contains the OpenPGP keys of all Debian developers. Some Debian
developers have certified the Tails signing key and you can use these certifications to
build a trust path. This technique is explained in detail in our instructions on installing
Tails from Debian, Ubuntu, or Linux Mint using the command line.

Relying on the Web of Trust requires both caution and intelligent supervision by the
users. The technical details are outside of the scope of this document.

Since the Web of Trust is actually based on human relationships and real-life
interactions, the best is to get in touch with people knowledgeable about OpenPGP and
build trust relationships in order to find your own trust path to the Tails signing key.

For example, you can start by contacting a local Linux User Group, an organization
offering Tails training, or other Tails enthusiasts near you and exchange about their
OpenPGP practices.

After you built a trust path, you can certify the Tails signing key by signing it with your
own key to get rid of some warnings during the verification process.

Further reading on OpenPGP

 Wikipedia: GnuPG, a free OpenPGP software

Apache: How To OpenPGP

Debian: Keysigning, a tutorial on signing keys of other people

rubin.ch: Explanation of the web of trust of PGP

Gpg4win: Certificate inspection, instructions to manage key trust with Gpg4win

Pages linking to this one: doc doc/about/openpgp keys expert/usb inc/steps/bittorrent

verification.inline inc/steps/download.inline news/new SSL certificate news/report 2016
05 support/faq
Last edited Thu 21 Jul 2016 06:45:34 PM CEST