Feature #9798
Have Tails Installer verify the ISO image using OpenPGP
100%
Description
Team: u, kurono, kytv, sajolida
As of today, users who download a Tails ISO image are required to manually
verify the authenticity of this image.
By verifying the SHA hashsum of the ISO
This basically ensures that the correct ISO has been downloaded.
- Using the Firefox extension *
See https://tails.boum.org/blueprint/bootstrapping/verification. Once we get the Verification Extension (Bug #7552), users will have automatic verification of their download using a checksum (and possibly something a bit stronger once we getFeature #8191.
This method however does not provide proof of authenticity of the image.
By verifying the cryptographic signature of the ISO image
Every Tails release is cryptographically signed with the Tails signing key.
That means, that along with the ISO we also provide an OpenPGP signature which
can and should be used to verify the authenticity of the image.
This step is essential, but very hard for users, as it not only requires that
users have a basic understanding of how OpenPGP works, but also that they
install an OpenPGP software which handles keys and takes care of the
verification process.
Furthermore it implies that users manually download the signature for each new
Tails release. In our download statistics, it’s clear that the signature is
downloaded significantly less often than the ISO (about xxx% of people who
download the ISO also download its cryptographic signature). We have no
statistics about how many of those users actually do the verification.
It also requires downloading the public Tails signing key once, verifying its
fingerprint and trusting it, for example by signing it locally.
Make Tails installer the main easy tool to install and verify Tails ISOs
Tails Installer itself could automate some kind of OpenPGP verification as well, at least TrustOnFirstUse and on top of that:
- Rely on the Debian keyring
- Allow people knowledgable about OpenPGP to do their own verification
We are in the process of making Tails installer available in Debian and other
Linux distributions and plan on porting it to other operating systems. Along
with the Firefox extension, it could automate as much as possible the process
of verifying the ISO, by extending the extension through the verification of
the cryptographic signature.
Subtasks
| Feature #10315: Design technical procedure for having Tails Installer verify the ISO image using OpenPGP | Rejected | 100 |
|||
| Feature #10316: Propose UX for having Tails Installer verify the ISO image using OpenPGP | Rejected | 0 |
|||
| Feature #10320: Implement technical draft of ISO verification in Tails Installer | Rejected | 0 |
|||
| Feature #10321: Update Debian and Tails packaging for Tails installer that verifies the ISO | Rejected | 0 |
History
#1 Updated by sajolida 2015-08-14 11:52:56
- Description updated
- Target version set to 2016
#2 Updated by Anonymous 2015-09-28 06:29:37
- Description updated
#3 Updated by Anonymous 2015-09-30 12:05:06
- Description updated
#4 Updated by Anonymous 2015-09-30 12:05:46
- Description updated
#5 Updated by intrigeri 2015-10-03 04:03:18
Just to clarify, it seems that this ticket is about verifying that a given file (likely called *.iso) has been signed by Tails signing key some day; if it passes that validation, then it might be a Tails ISO, and if it is then we know it is genuine, but possibly old since this ticket does not cover finding and downloading the ISO, and particular does not try to verify that one is using the latest ISO version. Is my understanding correct?
I wonder if we should perhaps instead go for a design
more similar to Tails Upgrader’s and the download extension’s, i.e. download and authenticate a description file that contains metadata about the ISO and its hash, and then download the ISO, and verify the hash. This way, we can tell the user “this is Tails version N”, which is arguably more useful than “this is a file signed with Tails signing key that may or may not be a recent Tails ISO image”. The good news is that we already have a security analysis of such a design (see the incremental upgrades design doc), and whenever we want to fix its limitations (e.g. fixing indefinite freeze attack by having such metadata expire like APT does), then the same solution would work for the three ways we’ll be offering to download Tails ISO images or upgrades.
#6 Updated by intrigeri 2015-10-03 04:06:38
intrigeri wrote:
> I wonder if we should perhaps instead go for a design
> more similar to Tails Upgrader’s
Implementation wise: Tails Upgrader has dedicated, separate components for downloading and verifying description (metadata) files and target (ISO) files, that can be reused at least on GNU/Linux. See its design doc for details.
#7 Updated by kurono 2015-12-02 10:17:17
- Assignee set to kurono
#8 Updated by intrigeri 2015-12-15 18:55:21
http://theupdateframework.com/ is a good starting point to understand the security challenges of automated download, verification and installation/upgrade systems.
https://tails.boum.org/contribute/design/incremental_upgrades/ may shine some light in a more practical and Tails-specific way.
#9 Updated by sajolida 2016-03-31 18:17:58
If we get there, we should still take into account that people doing UUI or dd won’t benefit from the automated verification.
#10 Updated by sajolida 2016-03-31 18:18:14
- related to
Feature #7544: Have a multiplatform Installer added
#11 Updated by intrigeri 2016-08-20 10:47:51
- Assignee deleted (
kurono) - Target version deleted (
2016)
(Removed from the roadmap during Tails summit 2016.)
#12 Updated by Dr_Whax 2016-08-20 12:43:28
- blocked by
Feature #11679: Rethink the installation process and upgrade process added
#13 Updated by intrigeri 2018-02-06 16:05:14
- blocks deleted (
Feature #11679: Rethink the installation process and upgrade process
#14 Updated by intrigeri 2018-04-14 07:46:05
This was removed from our roadmap 2 years ago and AFAICT no substantial progress was made here anyway. Perhaps I’ve discouraged people by pointing out that it’s a tad more complicated than running gpg --verify; sorry if that’s the case.
Anyway, we’re in 2018 now. With Feature #15292 Tails Installer will become a Tails-only thing and it’s now clear we’re not going to port it to Windows/Mac ever so the cost/benefit of this very project becomes even higher than it used to be. So at this point I propose we reject this ticket and all its subtasks.
kurono, sajolida, u: what do you think?
#15 Updated by Anonymous 2018-04-16 15:00:15
intrigeri wrote:
> This was removed from our roadmap 2 years ago and AFAICT no substantial progress was made here anyway. Perhaps I’ve discouraged people by pointing out that it’s a tad more complicated than running gpg --verify; sorry if that’s the case.
>
> Anyway, we’re in 2018 now. With Feature #15292 Tails Installer will become a Tails-only thing and it’s now clear we’re not going to port it to Windows/Mac ever so the cost/benefit of this very project becomes even higher than it used to be. So at this point I propose we reject this ticket and all its subtasks.
> kurono, sajolida, u: what do you think?
I agree \o/