Tails verifying

so I'm trying to verify tail's ISO, i am getting this messsage, it seems different from the one on tail's website

Not enough information to check signature validity. Signed on 2015-06-29 12:07 with unknown certificate 0xA5091F72... The validity of the signature cannot be verified.

does it seem alright, or i have downloaded a fake ISO?


Comments


[3 Points] ziz1:

You need to certify the Tails signing key with your own key:

(If you do not have your own PGP key, then create one first before proceeding.)


Start Kleopatra.

Select "All Certificates" from the drop down on the right hand side of the "Find" text entry area.

Under "Name" there should be a key listed as "Tails developers (offline long-term identity key)".

Right click on that key and select "Certificate Details".

Make sure the key fingerprint is as follows

Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F

Once you have verified the key fingerprint, right click on the key again and select "Certify Certificate".

Check mark the Tails key.

Check mark "I have verified the fingerprint".

Hit Next.

Select which of your keys you want to sign it with.

Select "Certify for myself".

Hit "Certify".

Enter the passphrase for your key.

Hit Finish.

Right click on the Tails key again and select "Change Owner Trust".

Select "I believe checks are very accurate".


Hit File on the top menu bar and select "Decrypt/Verify Files".

Drill down to the directory where both the Tails ISO and the Tails ISO signature (.sig) files are located.

Select either one.

Hit "Decrypt/Verify".

You should get a green "Signature is valid" message.

(Because of a bug in Kleopatra, it will still say "unknown certificate": https://bugs.kde.org/show_bug.cgi?id=287145)


[1 Points] sapiophile:

It sounds like you just don't have the Tails developers' signing key. You can get it here: https://keyserver.cns.vt.edu/pks/lookup?op=get&search=0xDBB802B258ACD84F

Ensure that its fingerprint matches the following (I have signed it myself to reduce the likelihood of manipulation):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVtoMeAAoJEJdH3pe6/Nu5hf4P/0N4avyf4Q1nWl9nwRNur++B
/74zrzKZ4GrWSay2DQiCplLO0LO5PexyTP0azJIsnRb0SpbH5aSZ3NSeGyuk4TTa
I+AdvSndR3kNRYcPP492ye5OkpXjkxVg1sro6sJ0HV7whowKpB9lu4cXBQIvefOA
C17Kf16JV8W8Mk1DuVYCTdlO9r1UvZeeW/zDfOQEIoPopumzsqDm/ehO93bZoF0d
1eewuRrWFzEsvx5rHY2e3lT/wvuSx7MTxYbmO9Ro217Ek3SGnQKNstrurZnt1Zbo
TnNfXEXKEwNZ5vVJyMPpcGOXp23YlYCGlfhzBeXUX+vjoaztrNT4MUHeP6yrpSas
kSvJRTTueD7TPz+3a0ya97U+SKXQ8aJSkIHkdm+FQWDGP/L6rJTPM5nCotEUlX21
DkQaLHimAr5cqHfYc8ZScJyo+eukXS0ewoN7tjN37wH/ZGoZOLX5v3ANegyMgTGc
QwnGuuZ2mAdoyua4r3ABLpJ3PYIX1oiPbFJ4Yp2ywRfZvIPlM4uRF6BmELWs5kYq
DpcSF60HAG6RoMLtRBap+i+LI5TBz3Ew6aqHdTfAmkHYGwMoczYdRJ4R6yrOIOWp
g6D/z70F0Nf0wtB9LOpSVexLvswd9QAppOsCQsxjCXccFU1dtpTIYsxt6vf8RDFf
Jv/6Xzt4pn1C88i985RS
=o9Jg
-----END PGP SIGNATURE-----

Once you have imported that public key into your GPG keyring, try verifying the signature again. If you continue to have problems, let me know.


[1 Points] denuugs:

Thanks a BUNCH!