Project

General

Profile

Bug #15697

Downloading ISO and verifying signature not giving result shown in instructions

Added by brokenst about 1 year ago. Updated 6 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/01/2018
Due date:
% Done:

0%

Feature Branch:
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:

Description

Instructions for verifying an ISO manually through OpenPGP in Tails say this:

After the verification finishes, you should see a notification that the signature is good:

tails-amd64-3.3.iso: Good Signature
Signed by on ...

When doing it exactly as described by the instructions, I get this output:

tails-amd64-3.8.iso: Untrusted Valid Signature
Valid but unstrusted signature by on ...

So, someone doing the verification as described by the instructions has to assume that the iso is in some way malicious since it does have an untrusted signature.

Is the documentation wrong, or is there a problem with the ISO?

(sajolida)

untrusted.png View (152 KB) sajolida, 07/04/2018 12:25 PM


Related issues

Related to Tails - Bug #15710: The Tails signing key is not trusted from within Tails Confirmed 07/04/2018
Related to Tails - Feature #11039: Publishing the OpenPGP instructions outside of our website Confirmed 02/01/2016

History

#1 Updated by mercedes508 about 1 year ago

  • Status changed from New to Confirmed
  • Assignee set to sajolida
  • Priority changed from High to Normal
  • Type of work changed from Research to End-user documentation

Effectively unless you already marked Tails singning key as trusted, it might be confusing for users not so used to GPG...

The corresponding you be updated accordingly I guess.

#2 Updated by sajolida about 1 year ago

  • Assignee changed from sajolida to brokenst
  • QA Check set to Info Needed

Are you doing this from Tails? Which version?

#3 Updated by sajolida about 1 year ago

  • Description updated (diff)

#4 Updated by sajolida about 1 year ago

I tested this from Tails 3.7.1 and indeed, the signature is reported as from an untrusted key.

See screenshot in attachment.

#5 Updated by sajolida about 1 year ago

  • Related to Bug #15710: The Tails signing key is not trusted from within Tails added

#6 Updated by u about 1 year ago

  • QA Check deleted (Info Needed)

#7 Updated by u about 1 year ago

  • Related to Feature #11039: Publishing the OpenPGP instructions outside of our website added

#8 Updated by emmapeel 6 months ago

We receive often requests from users about this problem.

They are not good at gpg and I think the install pages https://tails.boum.org/install/*/usb-download/index.en.html make it look like they have to do the gpg verification step (even if it says it is optional) and they get scared because that is not what they see. So, either we change the docs, or we make the key trusted on the ISO.

#9 Updated by sajolida 6 months ago

  • Assignee deleted (sajolida)

Also available in: Atom PDF