Thanks for the quick response. I did download and import it. On the page that you reference: https://tails.boum.org/install/win/usb/index.en.html there is a link to download and verify with OpenPGP (and subsequently gpg4win): (https://tails.boum.org/install/download/openpgp/index.en.html) I may be crazy (some have called me worse), but I really don't trust a plugin to "automatically" tell me if something is good or not. I like doing the extra bit of work to verify.
So, if you have a VM that you can install gpg4win, you can see what I'm seeing. Once the TAILS Signing Key is imported into Kleopatra, right click on it and then click on 'Certificate Details'. If you click the 'Technical Details' tab, you will see the revoked subkey. Then you click on the 'User-IDs & Certifications' tab, and click the button 'Load Certifications (may take a while)' to see all of the certs (or cross-certs?) that are associated. In that list, you will find the one that I referenced that was valid until 1/12/16 and the three more that will expire by the end of the year. If you go back to the list of certificates, you can right click on the TAILS Signing Key and try to 'Change Owner Trust' and attempt to bump it to full trust or 'Certify Certificate' and both will fail with the error: 'Certificate expired'. Thanks again! Nick Previous Message: Hi, > I'm using a Windows 7 Pro machine to download the TAILS ISO and the > sig, then verify it with gpg4win version 2.2.4. using the latest > signing key. > Per https://tails.boum.org/install/download/openpgp/index.en.html I > imported the TAILS Signing Key. I can't certify or change it to full > trust ... as the error shows the Certificate is Expired. I look > further and find that this cert in the chain is expired: > 54D7834DDB6C364C 1/12/16. About three more will be expiring before > the end of the year. Also, one of the sub keys is revoked/expired: > AA9E014656987A65. Are there any plans to remove and/or replace the > expired/revoked certs so that users can truly verify the > distribution? I don't see any expired key. Did you download AND import it? This is the key I get: gpg --list-keys 0xDBB802B258ACD84F pub 4096R/0xDBB802B258ACD84F 2015-01-18 [expires: 2018-01-11] Fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid [ undef.] Tails developers (offline long-term identity key) <[email protected]> uid [ unbek.] Tails developers <[email protected]> sub 4096R/0x98FEC6BC752A3DB6 2015-01-18 [expires: 2018-01-11] sub 4096R/0x3C83DCB52F699C56 2015-01-18 [expires: 2018-01-11] sub 4096R/0xAF292B44A0EDAA41 2016-08-30 [expires: 2018-01-11] > The reason is ask is that when I try to verify the ISO, I get this > error back: > > "Signed on 2016-11-13 09:08 with unknown certificate > 0x79192EE220449071F589AC00AF292B44A0EDAA41. The validity of the > signature cannot be verified." > > The cert in this error does not match the one in the document, > located at: > https://tails.boum.org/install/download/openpgp/index.en.html > > "Signed on ... by [email protected] (Key ID: 0x58ACD84F" Nowadays we advise users to not just download the ISO and verify it using OpenPGP, but to instead use our Firefox extension, which verifies the ISO image automatically. On Windows, you should follow these instructions: https://tails.boum.org/install/win/usb/index.en.html Cheers! u.
_______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
