[–]multiplayerdreams 3 points 3 months ago  This page lays it out.. Step 3 tells you how to verify. I'm going to assume you just want to verify the signature using the Tails public key on their site. The Tails site warns you that trusting this key leaves you open to man-in-the-middle attacks. If you want to verify the signature and the key, you need to follow these steps instead. That's a warning. Moving on. You need four things: The Tails iso file The signature of the iso The public key used to make the signature GPG software to do the verification You already have the public key (tails-signing.key), the signature (tails-i386-1.2.iso.sig), and a gpg program (Kleopatra). Now, you need to download the actual Tails iso file. Put it in the same location as the signature file. Now the procedure: Import the public key into Kleopatra. (In Kleopatra) File --> Import Certificates --> tails-signing.key. Verify the signature. (In Kleopatra) File --> Decrypt/Verify Files --> tails-i386-1.2.iso.sig If you get a bad signature, download all the Tails files again and re-verify. Otherwise, Kleopatra should say "Not enough information to check signature validity". Click the Show Details button. The info you're looking for is "Signed on <date> by [email protected] (Key ID: 0xBE2CD9C1)". That means that everything is good. Tails gives you that warning after verifying because you assumed that the Tails public key was trustworthy. Kleopatra is saying that it might not be. permalinksavereportgive goldreply

hide helpreddiquette save reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues. you type: you see: italics italics bold bold reddit! reddit! * item 1 * item 2 * item 3
item 1 item 2 item 3

quoted text quoted text Lines starting with four spaces are treated like code:

    if 1 * 2 < 3:         print "hello, world!" Lines starting with four spaces are treated like code: if 1 * 2 < 3:     print "hello, world!" strikethrough strikethrough super^script superscript [–]moenirsu[S] 1 point 3 months ago*  If you only verify with your instruction.. what threats am I vulnerable to? I did your instructions before but I didn't have downloaded the iso file and it said Invalid signature.. But I guess I need to have the iso file as well, redownloading all the files right now but looks like its going to take the whole day to download even though I got a very fast fiber connection. If I want to verify sig AND the key.. Can I just post the key somewhere perhaps here on reddit where people can confirm if its correct key? edit: seems like the download froze at 88mb.. is this normal? I have to restart download again now? permalinksaveparentreportgive goldreply [–]multiplayerdreams 2 points 3 months ago  Let me answer your other questions first, then I'll talk about the security threats. You need to have the Tails iso file. Otherwise you will get a bad signature. On "regular" internet connections (5-20 Mbps), I'm able to download the Tails iso file in about 1-2 hours. I use bittorrent and have never had any issues downloading the file. Yes, you could post the key somewhere and have people confirm that it's the correct key. That's basically crowdsourcing downloading the key from multiple locations. Make sure people confirm what you post with their existing key. If the Tails website is incorrect and everyone checks that then you're all going to be wrong. permalinksaveparentreportgive goldreply [–]multiplayerdreams 1 point 3 months ago  The signature/verify process works like this. The Tails developers make the Tails iso file. They want to make sure that the file people download is the exact same as the file they created. To do this, they use their key to make a digital signature of the file. (File + key = signature) A different file will produce a different signature. A different key will also produce a different signature. So having the correct Tails iso and having the Tails private key is the only way to make a legitimate signature. [The Tails developers are the only ones with their private key.] So once the user has the file, the signature and the trusted key, the user can check to see if that key and that file made that signature. This is because file + key = signature and any wrong file or other key will not verify. So if you have a trusted key and you get a good signature, that means that you have the exact same file as whoever made the signature. The file got to you over the internet, which Tails does not control. Lots of things could have happened to the file on its way to you. Verifying signatures proves that the starting file is identical to the ending file. Lots of things could have happened to the file on its way to you. This is why we verify. Read about man-in-the-middle attacks. https://tails.boum.org/doc/about/warning/index.en.html#man-in-the-middle Lets say I was LE or some other malicious party. I want to spy on people using Tails. I modify the Tails iso to include a keylogger that sends everything people type back to me. I find out where Tails servers are located (not hard, they're on the clearnet) and I delete the real iso file on the site and upload my fake iso file. I also create a fake key that says "Tails developers [email protected]". Using the fake key, I make a real signature of the fake iso file. I upload all this to the Tails website. A user goes to the Tails website, downloads the fake iso, the (wrong) signature and the fake key. They all look legitimate to the user. The user verifies the file using the (wrong) signature and fake key. The signature will verify as good. Seeing a good signature, they go on and start using the fake Tails version with a keylogger in it. Even though they verified the iso file using PGP, they used a fake key. Anybody can make a fake key that can make good signatures. It's not hard. You must trust the key you are using. When you verify Tails, Kleopatra will say this: Not enough information to check the signature validity. Signed on <date> by [email protected] (Key ID: 0xBE2CD9C1) The validity of the signature cannot be verified. Does this make sense? A good signature from a key means nothing. A good signature from a trusted key means everything. If the key is not trusted, that signature tells you that you have the same file as whoever holds the key. But who knows who that is, could be the Tails developers, could be LE. Would you trust a file from some random person? If you don't trust the key, a good signature says very little. On the other hand, if you do trust the key, a good signature means that you have the exact same file as the keyholder. I trust Tails. Once I know I have thier correct key, their signatures mean that I have the same files as Tails developers. What we're striving for is authentication. It's easy to show that we have the same file as somebody else. It's harder to show that we have the correct file. Having the same wrong file doesn't help anybody. Having the same correct file is secure. Trusting the key off the Tails website is not secure. The actual key needs to be verified against other sources. It is unlikely that every place you check the key against is compromised. The point is don't have a single point of failure and don't put all your trust into one party becasue it may be compromised. I wrote entirely too much permalinksaveparentreportgive goldreply [–]anonymississippi 1 point 3 months ago  THANKYOU! for much entirety permalinksaveparentreportgive goldreply load more comments (1 reply)