Hi Constantin, exploding_paint: > Hi, > > I just tried to download and install the latest version of Tails, and > I've noticed I'm now supposed to install the Tails Installer program > from a PPA to do the installation. > > I've always liked that you take great care to show users how to > verify the downloaded iso file, but there doesn't seem to be anything > similar for the Installer package. The PGP key of the PPA is not > listed at https://tails.boum.org/doc/about/openpgp_keys/index.en.html > and it doesn't have any signatures either, so if I'm not mistaken > there is no way for me to make sure the PPA and its software is > actually from the Tails people. The way I understand it verifying > this PPA is just as crucial as verifying the downloaded iso file. > > Any guidance on this matter is much appreciated. Sorry if this has > been asked before.
That's a very valid concern. Thanks for bringing it up! The tails-installer package is maintained by me, and thus it was signed with my key. I'm part of the Tails project and I also maintain the package in Debian: https://tracker.debian.org/pkg/tails-installer I'll create a ticket on our bugtracker to see where we should document this. (In our installation documentation and/or the openpgp keys page?) My key has many signatures by Debian Developers: http://zimmermann.mayfirst.org/pks/lookup?search=u%40451f.org&op=vindex In the meantime, you might be able to establish a trust path this way. Cheers! u.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
