Re: [Tails-testers] Cannot find a copy of 1.0 that has a cle…

Supprimer ce message

Répondre à ce message
Auteur: anonym
Date:  
À: Tails list for early testers
Sujet: Re: [Tails-testers] Cannot find a copy of 1.0 that has a clean signature.
09/05/14 03:01, Kill Your TV wrote:
> On Thu, 8 May 2014 22:23:20 +0000 (UTC)
> outerdark@??? wrote:
>
>> This is ridiculous. Is the TOR website set up with an NSA backdoor
>> too? Im afraid to use the tool that has always sheltered me in my
>> fear of eavesdropping. I have downloaded 15 ISO or Torrent versions
>> in two days and each one had a forged signature according to PGP.


How are you verifying the signature? What is the exact error message?

> Can
>> you send me a guaranteed clean copy so I can catch up on all I need
>> to do that has been hindered since upgrading due to every copy coming
>> up bad forged signature. I just enrolled to be a tester. I hope the
>> test versions are transmitted using methods to thwart MITM.


That's exactly what your problem is showing that we do -- if you indeed
are being MITM:ed, this is exactly the symptoms you'd see.

>> Best Regards
>> JD
>>
>
> It worked here.
>
> $ gpg --verify tails-i386-1.0.iso.sig tails-i386-1.0.iso
> gpg: Signature made Sun 27 Apr 2014 08:02:35 PM UTC
> gpg:                using RSA key 1202821CBE2CD9C1
> gpg: Good signature from "Tails developers (signing key) <tails@???>"
> gpg:                 aka "T(A)ILS developers (signing key) <amnesia@???>

>
> $ sha256sum -b tails-i386-1.0.iso
> 199877e17f69157c48000a513b2b5daeb1b0ef551d36b8456a522006fd66fd8e *tails-i386-1.0.iso


Also, please run:

$ sha256sum tails-i386-1.0.iso.sig
fa896b520738c8c5f595ca7eac2e60c20a5126def4ac8faf4234d84dffa2363b
*tails-i386-1.0.iso.sig

Please verify that your copy of the .sig has the same SHA-256 hash as
above.

And:

$ gpg --fingerprint --list-key "Tails developers (signing key)"
pub   4096R/1202821CBE2CD9C1 2010-10-07 [expires: 2015-02-05]
      Key fingerprint = 0D24 B36A A9A2 A651 7878  7645 1202 821C BE2C D9C1
uid                          Tails developers (signing key) <tails@???>
uid                          T(A)ILS developers (signing key)
<amnesia@???>


Please verify that the public part of Tails' signing key you have has
the same fingerprint as above. We've recently heard that (poorly) forged
keys are floating around on the key servers, see:

    <https://mailman.boum.org/pipermail/tails-dev/2014-May/005638.html>


Cheers!