this post was submitted on 18 Jun 2024
10 points (100.0% liked)

Tails

153 readers
1 users here now

Tails is a portable operating system that protects your privacy and helps you avoid censorship.

https://tails.boum.org/index.en.html

founded 4 years ago
MODERATORS
[email protected]
10
Tails - Tails 6.4 (tails.net)
submitted 2 weeks ago by [email protected] to c/[email protected]
2 comments fedilink hide all child comments
top 2 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 2 points 2 weeks ago (1 children)

for some reasons, I can't verify the signature of the files.

I downloaded tail-signing.key from https://tails.net/tails-signing.key

then made a keyring file.

ran gpgv --keyring ./tails.keyring tails-amd64-6.4.img.sig tails-amd64-6.4.img

it gave me error saying using EDDSA key 26D26.... Can't check signature: No public key.

I even tried using the same keyring for 6.3 and it was fine. Only for this version I;m having trouble.

Anyone would please confirm the SHA256SUM if you could verify the signature?

[โ€“] [email protected] 2 points 2 weeks ago

How does making a keyring file work ? I tried it by importing the signing key into my keyring and then ran gpgv tails-amd64-6.4.img.sig tails-amd64-6.4.img which also gives : gpgv: Can't check signature: No public key

Found this, which appears to suggest to use other verification methods : https://tails.net/contribute/design/download_verification/#index2h1

OpenPGP verification instructions

We removed the instructions to verify downloads with OpenPGP because:

Without advanced knowledge of OpenPGP, verifying with OpenPGP provides the same level of security as the JavaScript verification on the download page, while being much more complicated and error-prone.

None of our personas would have enough knowledge of OpenPGP to use the OpenPGP Web of Trust with confidence.

Providing basic (and never exhaustive) instructions has proven to be very time consuming to our help desk and technical writers. See #17900.

We still explain how to verify our signing key using the OpenPGP Web of Trust in the installation instructions from Debian, Ubuntu, or Mint using the command line and GnuPG because Debian derivatives come with trusted OpenPGP keys that can be used to create a path to our signing key.