Hi again, u: > Hi Constantin, > > exploding_paint: >> Hi, >> >> I just tried to download and install the latest version of Tails, and >> I've noticed I'm now supposed to install the Tails Installer program >> from a PPA to do the installation. >> >> I've always liked that you take great care to show users how to >> verify the downloaded iso file, but there doesn't seem to be anything >> similar for the Installer package. The PGP key of the PPA is not >> listed at https://tails.boum.org/doc/about/openpgp_keys/index.en.html >> and it doesn't have any signatures either, so if I'm not mistaken >> there is no way for me to make sure the PPA and its software is >> actually from the Tails people. The way I understand it verifying >> this PPA is just as crucial as verifying the downloaded iso file. >> >> Any guidance on this matter is much appreciated. Sorry if this has >> been asked before. > > That's a very valid concern. Thanks for bringing it up! > > The tails-installer package is maintained by me, and thus it was signed > with my key. I'm part of the Tails project and I also maintain the > package in Debian: https://tracker.debian.org/pkg/tails-installer > > I'll create a ticket on our bugtracker to see where we should document > this. (In our installation documentation and/or the openpgp keys page?) > > My key has many signatures by Debian Developers: > http://zimmermann.mayfirst.org/pks/lookup?search=u%40451f.org&op=vindex > In the meantime, you might be able to establish a trust path this way.
I created https://labs.riseup.net/code/issues/11859 as a discussion ticket and hope that we can find a valid solution for this concern during our next monthly meeting. Cheers! _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
