Rosika
(Rosika Schreck)
November 5, 2021, 4:21pm
1
Hi all,
I´ve downloaded Tails (“Running Tails in a virtual machine”) here: Tails - Running Tails in a virtual machine .
The download was 1.1 GB in size and I got “tails-amd64-4.23.iso” .
That went well and as a next step I wanted to verify the downloaded ISO.
The instructions on the page (see above) were “Verify your download”.
What I wanted to do was :
gpg --verify tails-amd64-4.23.iso.sig
after having downloaded the signature. I.e. I wanted to download it but failed.
Believe it or not - it just so happened that the Tails people updated the Tails ISO to the latest version tails-amd64-4.24.iso. Just now!!!
On Index of /torrents/files/ there are only the various “[…].24” files left.
So I reverted to wayback machine and indeed found what I was looking for here:
https://web.archive.org/web/20211019131527/https://tails.boum.org/torrents/files/tails-amd64-4.23.iso.sig .
Phew, that was quite something.
So at least I´ve got the correct signature , but I´m still stuck at this point:
gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNING: unsafe permissions on homedir '/home/rosika/.gnupg'
gpg: assuming signed data in 'tails-amd64-4.23.iso'
gpg: Signature made Di 05 Okt 2021 09:44:08 CEST
gpg: using EDDSA key CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Can't check signature: No public key
So the issue seems to be that the respective public key hasn´t been imported into my keyring yet.
Does anyone have any ideas on how to proceed now?
Many thanks in advance and many greetings.
Rosika
1 Like
Akito
November 5, 2021, 5:46pm
2
https://tails.boum.org/tails-signing.key
That’s the signing key that is used for their released images.
https://tails.boum.org/doc/about/openpgp_keys/index.en.html#index2h1
Now, all you need to do is to import the public key, before attempting to verify your downloaded image.
1 Like
Rosika
(Rosika Schreck)
November 6, 2021, 1:05pm
3
Hi @Akito and thanks so much for your kind help once more,
yesterday I was on the the tails site with the instructions which you kindly provided but wasn´t too sure about the correct proceedings all the same.
So you helped a lot indeed. Thanks so much.
Hopefully I´ve done it right now.
I proceeded thus:
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> file tails-signing.key # just for me to show the file-type
tails-signing.key: PGP public key block Public-Key (old)
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --show-keys tails-signing.key
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
pub rsa4096 2015-01-18 [C] [verfällt: 2023-01-07]
A490D0F4D311A4153E2BB7CADBB802B258ACD84F # this correlates with the values for public fingerprint on the tails site
uid Tails developers (offline long-term identity key) <tails@boum.org>
uid Tails developers <tails@boum.org>
sub rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub rsa4096 2015-01-18 [S] [widerrufen: 2015-10-29]
sub rsa4096 2016-08-30 [S] [verfallen: 2018-01-11]
sub rsa4096 2017-08-28 [S] [verfällt: 2023-01-07]
sub rsa4096 2017-08-28 [S] [widerrufen: 2020-05-29]
sub ed25519 2017-08-28 [S] [verfällt: 2023-01-07]
sub rsa4096 2018-08-30 [S] [widerrufen: 2021-10-14]
sub rsa4096 2021-10-14 [S] [verfällt: 2023-01-07]
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --import tails-signing.key
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: key DBB802B258ACD84F: 2172 Beglaubigungen wegen fehlender Schlüssel nicht geprüft
gpg: Schlüssel DBB802B258ACD84F: Öffentlicher Schlüssel "Tails developers (offline long-term identity key) <tails@boum.org>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Tiefe: 0 gültig: 1 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-03-20
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: die unterzeichneten Daten sind wohl in 'tails-amd64-4.23.iso'
gpg: Signatur vom Di 05 Okt 2021 09:44:08 CEST
gpg: mittels EDDSA-Schlüssel CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Korrekte Signatur von "Tails developers (offline long-term identity key) <tails@boum.org>" [unbekannt] # I guess that´s the iportant part, i.e. correct signature
gpg: alias "Tails developers <tails@boum.org>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
Unter-Fingerabdruck = CD4D 4351 AFA6 933F 574A 9AFB 90B2 B4BD 7AED 235F
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails>
Sorry that it´s all in German. I forgot to prepend the respective commands with LANG=en_US.UTF-8
.
Nevertheless I think (and hope) I´ve done it the right way.
Thanks again for your kind help, Akito.
Many greetings from Rosika
1 Like