Bug #6318: Fix key trusting instructions to work when we update our signing key

Bug #6318

Fix key trusting instructions to work when we update our signing key

Added by sajolida 2013-09-28 03:05:13 . Updated 2015-01-19 20:01:27 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Installation

Target version:

Tails_1.3

Start date:

2013-09-28

Due date:

% Done:

30%

Feature Branch:

Type of work:

End-user documentation

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

The simple version of the instructions that we give for people to increase their trust in our signing key rely on the sha256sum of the key file itself:

https://tails.boum.org/doc/get/trusting_tails_signing_key/

When we update our signing key file with new signatures, the hash of that file changes. This might lead users to think that they downloaded a wrong signing key file.

Files

0001-Compare-keys-with-diff-instead-of-sha256sum.patch (2179 B)

irregulator, 2015-01-08 23:41:33

Subtasks

History

#1 Updated by sajolida 2013-09-28 03:14:43

Starter changed from No to Yes

#2 Updated by sajolida 2013-09-29 01:16:30

This task requires thinking about other ways of comparing several downloads of the signing key file and propose a way of comparing them that is not broken when we update the signing key file with new signatures.

Ideas to explore:
- Is it possible to compare the fingerprints of those downloads without importing them to the user keyring?
- Shall we suggest to import the keys, and, is it easy to explain how to interpret the gpg output when importing?
- Is it easier to explain instead that this technique doesn’t work if we update the signing key file?
- If none of this works, shall we decide to never update the signing key file?

#3 Updated by intrigeri 2014-03-29 11:35:12

Alternatively, we could update the release process doc to always update the signing key and the corresponding hash in the key trusting doc. This way, worst case the hash is wrong for less than 6 weeks (if someone updates the signing key independently, and forgets to update the hash).

Also, the cmp command allows to compare two files byte by byte, which could allow us to simply drop the hash.

#4 Updated by irregulator 2015-01-03 01:41:54

Since the signing key is served in ASCII-armored format, we can use diff as well, i.e. comparing files line by line. We can instruct users to

diff -q --from-file tails-signing*.key

If all files are identical the command will produce no output; user may trust the key file. If a file differs, the output will be something like:

Files tails-signing-desktop.key and tails-signing-laptop.key differ

then something’s wrong.

#5 Updated by sajolida 2015-01-03 18:29:07

Indeed. Irregulator: do you feel like working on a patch?

#6 Updated by irregulator 2015-01-04 00:42:03

sure, I’ll return with an attached one.

#7 Updated by irregulator 2015-01-04 01:58:12

File <del>missing: 0001-Compare-keys-with-diff-instead-of-sha256sum.patch</del> added

Here’s my suggestion as patch

#8 Updated by sajolida 2015-01-04 09:23:18

Assignee set to sajolida
Target version set to Tails_1.2.3

I’ll have a look in time for 1.2.3.

#9 Updated by intrigeri 2015-01-04 12:38:53

Status changed from Confirmed to In Progress
% Done changed from 0 to 30
QA Check set to Ready for QA

#10 Updated by BitingBird 2015-01-08 03:19:49

Category set to Installation

#11 Updated by sajolida 2015-01-08 19:27:53

I like this technique! Thanks for proposing it.

What about adding the ‘-s’ option as well? Then there would always be an output, even if all keys are identical. For example:

amnesia@amnesia:~/keys$ diff -qs --from-file tails-signing*.key
Files tails-signing-1.key and tails-signing-2.key are identical
Files tails-signing-1.key and tails-signing-3.key are identical
Files tails-signing-1.key and tails-signing-4.key are identical
Files tails-signing-1.key and tails-signing-5.key are identical
Files tails-signing-1.key and tails-signing.key differ

I think that visual feedback is important in security processes, probably even more than in other areas. And the fact that a successful command means no output would make me dubtious about whether the command did its job.

On top of that, if you agree with this change, then it would further simplify the rest of the instructions as the output makes it directly explicit which keys are identical. Maybe we can skip giving additional indications on how to interpret the output.

Still, it could be nice to leave an example with some identicals and differing keys. So people know what to expect and can detect possible bugs. Examples are always good. See principle 8 from http://idratherbewriting.com/2014/06/20/10-technical-writing-principles-to-live-by :)

What do you think?

#12 Updated by sajolida 2015-01-08 19:29:35

Assignee changed from sajolida to irregulator
QA Check changed from Ready for QA to Dev Needed

#13 Updated by irregulator 2015-01-08 23:43:44

File 0001-Compare-keys-with-diff-instead-of-sha256sum.patch added

I agree with both ‘-s’ and visual examples. So here’s the new patch.

#14 Updated by irregulator 2015-01-08 23:44:10

File deleted (~~0001-Compare-keys-with-diff-instead-of-sha256sum.patch~~)

#15 Updated by intrigeri 2015-01-13 12:53:15

Target version changed from Tails_1.2.3 to Tails_1.3

#16 Updated by sajolida 2015-01-19 15:26:01

Assignee changed from irregulator to sajolida
QA Check changed from Dev Needed to Ready for QA

#17 Updated by sajolida 2015-01-19 20:01:27

Status changed from In Progress to Resolved
Assignee deleted (~~sajolida~~)
QA Check deleted (~~Ready for QA~~)

Amazing, merged!