Project

General

Profile

Bug #15697

Downloading ISO and verifying signature not giving result shown in instructions

Added by brokenst over 1 year ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
07/01/2018
Due date:
% Done:

0%

Feature Branch:
2dc4594d17
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:

Description

Instructions for verifying an ISO manually through OpenPGP in Tails say this:

After the verification finishes, you should see a notification that the signature is good:

tails-amd64-3.3.iso: Good Signature
Signed by on ...

When doing it exactly as described by the instructions, I get this output:

tails-amd64-3.8.iso: Untrusted Valid Signature
Valid but unstrusted signature by on ...

So, someone doing the verification as described by the instructions has to assume that the iso is in some way malicious since it does have an untrusted signature.

Is the documentation wrong, or is there a problem with the ISO?

(sajolida)

untrusted.png View (152 KB) sajolida, 07/04/2018 12:25 PM


Related issues

Related to Tails - Bug #15710: The Tails signing key is not trusted from within Tails Confirmed 07/04/2018
Related to Tails - Feature #11039: Publishing the OpenPGP instructions outside of our website Confirmed 02/01/2016
Blocks Tails - Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing Confirmed 01/08/2016

Associated revisions

Revision 2dc4594d (diff)
Added by sajolida 2 months ago

Document alternative notification when the signing key is untrusted (Will-fix: #15697)

History

#1 Updated by mercedes508 over 1 year ago

  • Status changed from New to Confirmed
  • Assignee set to sajolida
  • Priority changed from High to Normal
  • Type of work changed from Research to End-user documentation

Effectively unless you already marked Tails singning key as trusted, it might be confusing for users not so used to GPG...

The corresponding you be updated accordingly I guess.

#2 Updated by sajolida over 1 year ago

  • Assignee changed from sajolida to brokenst
  • QA Check set to Info Needed

Are you doing this from Tails? Which version?

#3 Updated by sajolida over 1 year ago

  • Description updated (diff)

#4 Updated by sajolida over 1 year ago

I tested this from Tails 3.7.1 and indeed, the signature is reported as from an untrusted key.

See screenshot in attachment.

#5 Updated by sajolida over 1 year ago

  • Related to Bug #15710: The Tails signing key is not trusted from within Tails added

#6 Updated by u over 1 year ago

  • QA Check deleted (Info Needed)

#7 Updated by u over 1 year ago

  • Related to Feature #11039: Publishing the OpenPGP instructions outside of our website added

#8 Updated by emmapeel 10 months ago

We receive often requests from users about this problem.

They are not good at gpg and I think the install pages https://tails.boum.org/install/*/usb-download/index.en.html make it look like they have to do the gpg verification step (even if it says it is optional) and they get scared because that is not what they see. So, either we change the docs, or we make the key trusted on the ISO.

#9 Updated by sajolida 10 months ago

  • Assignee deleted (sajolida)

#10 Updated by cbrownstein 2 months ago

  • Assignee set to cbrownstein

I'll take this ticket for now.

#11 Updated by sajolida 2 months ago

  • Status changed from Confirmed to In Progress

#12 Updated by sajolida 2 months ago

  • Status changed from In Progress to Needs Validation
  • Target version set to Tails_4.0
  • Feature Branch set to 2dc4594d17

I started looking at how complicated this ticket was and I thought that generating the 4 different screenshots {img,iso}×{untrusted,valid} would have been a big time sucker for you. Even for me it took quite a while since "good" notifcations require a trust path from an ultimately trusted key to the signing key but "untrusted" require a keyring with no trust path (plus the time to figure this out).

After generating the screenshots, the changes in the text themselves were straight-forward.

Sorry for stepping on your foot like this but these OpenPGP instructions is really not were I'm happy to see us spend more time than strictly necessary.

So here is a fix in 2dc4594d17, part of doc/16175-unclear-openpgp-verification.

#13 Updated by sajolida 2 months ago

  • Blocks Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing added

#14 Updated by cbrownstein 2 months ago

  • Status changed from Needs Validation to In Progress
  • Assignee changed from cbrownstein to sajolida

Looks good!

#15 Updated by sajolida about 2 months ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (sajolida)

Also available in: Atom PDF