Bug #15697

Downloading ISO and verifying signature not giving result shown in instructions

Added by brokenst 2018-07-01 00:15:29 . Updated 2019-10-10 21:10:41 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Tails_4.0
Start date:
2018-07-01
Due date:
% Done:

0%

Feature Branch:
2dc4594d17
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Instructions for verifying an ISO manually through OpenPGP in Tails say this:

> After the verification finishes, you should see a notification that the signature is good:
>
> tails-amd64-3.3.iso: Good Signature
> Signed by on …

When doing it exactly as described by the instructions, I get this output:

> tails-amd64-3.8.iso: Untrusted Valid Signature
> Valid but unstrusted signature by on …

So, someone doing the verification as described by the instructions has to assume that the iso is in some way malicious since it does have an untrusted signature.

Is the documentation wrong, or is there a problem with the ISO?

(sajolida)

Files

untrusted.png (156132 B) sajolida, 2018-07-04 12:25:06

Subtasks

Related issues

Related to Tails - Bug #15710: The Tails signing key is not trusted from within Tails Confirmed 2018-07-04
Related to Tails - Feature #11039: Publishing the OpenPGP instructions outside of our website Confirmed 2016-02-01
Blocks Tails - Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing Resolved 2016-01-08

History

#1 Updated by mercedes508 2018-07-01 13:47:16

  • Status changed from New to Confirmed
  • Assignee set to sajolida
  • Priority changed from High to Normal
  • Type of work changed from Research to End-user documentation

Effectively unless you already marked Tails singning key as trusted, it might be confusing for users not so used to GPG…

The corresponding you be updated accordingly I guess.

#2 Updated by sajolida 2018-07-03 16:48:14

  • Assignee changed from sajolida to brokenst
  • QA Check set to Info Needed

Are you doing this from Tails? Which version?

#3 Updated by sajolida 2018-07-03 16:48:34

  • Description updated

#4 Updated by sajolida 2018-07-04 12:25:08

  • File untrusted.png added
  • Assignee changed from brokenst to sajolida

I tested this from Tails 3.7.1 and indeed, the signature is reported as from an untrusted key.

See screenshot in attachment.

#5 Updated by sajolida 2018-07-04 12:34:03

  • related to Bug #15710: The Tails signing key is not trusted from within Tails added

#6 Updated by Anonymous 2018-08-16 10:42:54

  • QA Check deleted (Info Needed)

#7 Updated by Anonymous 2018-08-18 09:23:03

  • related to Feature #11039: Publishing the OpenPGP instructions outside of our website added

#8 Updated by emmapeel 2019-02-19 09:42:28

We receive often requests from users about this problem.

They are not good at gpg and I think the install pages https://tails.boum.org/install/*/usb-download/index.en.html make it look like they have to do the gpg verification step (even if it says it is optional) and they get scared because that is not what they see. So, either we change the docs, or we make the key trusted on the ISO.

#9 Updated by sajolida 2019-02-20 21:16:36

  • Assignee deleted (sajolida)

#10 Updated by cbrownstein 2019-09-28 03:53:57

  • Assignee set to cbrownstein

I’ll take this ticket for now.

#11 Updated by sajolida 2019-10-03 20:09:24

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|2dc4594d17a77979c7df8dcd6697ac8ed52f503c.

#12 Updated by sajolida 2019-10-03 20:14:22

  • Status changed from In Progress to Needs Validation
  • Target version set to Tails_4.0
  • Feature Branch set to 2dc4594d17

I started looking at how complicated this ticket was and I thought that generating the 4 different screenshots {img,iso}×{untrusted,valid} would have been a big time sucker for you. Even for me it took quite a while since “good” notifcations require a trust path from an ultimately trusted key to the signing key but “untrusted” require a keyring with no trust path (plus the time to figure this out).

After generating the screenshots, the changes in the text themselves were straight-forward.

Sorry for stepping on your foot like this but these OpenPGP instructions is really not were I’m happy to see us spend more time than strictly necessary.

So here is a fix in 2dc4594d17, part of doc/16175-unclear-openpgp-verification.

#13 Updated by sajolida 2019-10-03 20:54:22

  • blocks Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing added

#14 Updated by cbrownstein 2019-10-09 00:27:14

  • Status changed from Needs Validation to In Progress
  • Assignee changed from cbrownstein to sajolida

Looks good!

#15 Updated by sajolida 2019-10-10 21:10:41

  • Status changed from In Progress to Resolved
  • Assignee deleted (sajolida)