Feature #15281: Stack one single SquashFS diff when upgrading
Refresh Tails signing key before each upgrade check
That way the expiry of our keys will be much less problematic for users when Tails Upgrader looks for upgrades. So, before Tails Upgrader verifies any UDF, it's run something like:
curl https://tails.boun.org/tails-signing.key | \ gpg --import-options merge-only --import
which should be safe thanks to
#6 Updated by anonym over 1 year ago
$ wget --debug -O- https://tails.boun.org/tails-signing.key Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.18 on linux-gnu. Reading HSTS entries from /home/amnesia/.wget-hsts URI encoding = ‘UTF-8’ --2018-02-10 17:29:44-- https://tails.boun.org/tails-signing.key Certificates loaded: 166 Resolving tails.boun.org (tails.boun.org)... 188.8.131.52 Caching tails.boun.org => 184.108.40.206 Connecting to tails.boun.org (tails.boun.org)|220.127.116.11|:443... 1518283788 ERROR torsocks: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:549) Closed fd 3 failed: Connection refused. Releasing 0x00005bc92043c760 (new refcount 1).
You too, curl?
$ curl -v --proxy socks5h://127.0.0.1:9150 https://tails.boun.org/tails-signing.key * Trying 127.0.0.1... * TCP_NODELAY set * SOCKS5 communication to tails.boun.org:443 * SOCKS5 request granted. * Connected to (nil) (127.0.0.1) port 9150 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to tails.boun.org:443 * Curl_http_done: called premature == 1 * stopped the pause stream! * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to tails.boun.org:443
I tried several other HTTPs (incl. HSTS) sites without problem both for