Scaricate Tails 3.15

Questa sezione fornisce istruzioni semplificate:

• In Windows con Gpg4win
• In macOS con GPGTools
• In Tails
• Usando la riga di comando

In Windows con Gpg4win

Guarda la documentazione Gpg4win su come verificare le firme.

Verify that the date of the signature is at most five days earlier than the latest version: 2019-07-09.

Se compare il seguente avviso:

Not enough information to check the signature validity.
Signed on ... by tails@boum.org (Key ID: 0x58ACD84F
The validity of the signature cannot be verified.

Then the image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

In macOS usando GPGTools

1. Open Finder and navigate to the folder where you saved the image and the signature.
2. Right-click on the image and choose Services ▸ OpenPGP: Verify Signature of File.

Su Tails

1. Open the file browser and navigate to the folder where you saved the image and the signature.
2. Clicca con il tasto destro sulla firma e scegli Open With Verify Signature.
3. The verification of the image starts automatically:

   

4. After the verification finishes, you should see a notification that the signature is good:

   

   

   Verify that the date of the signature is at most five days earlier than the latest version: 2019-07-09.

Usare la riga di comando

1. Open a terminal and navigate to the folder where you saved the image and the signature.

2. Esegui:

   TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-3.15.img.sig tails-amd64-3.15.img

   TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-3.15.iso.sig tails-amd64-3.15.iso

   L'output di questo comando dovrebbe essere il seguente:

   gpg: Signature made Tue Jul  9 04:10:18 2019 UTC
   gpg:                using RSA key FE029CB4AAD4788E1D7828E8A8B0F4E45B1B50E2
   gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [full]
   gpg:                 aka "Tails developers <tails@boum.org>" [full]
   

   gpg: Signature made Tue Jul  9 04:10:03 2019 UTC
   gpg:                using RSA key FE029CB4AAD4788E1D7828E8A8B0F4E45B1B50E2
   gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [full]
   gpg:                 aka "Tails developers <tails@boum.org>" [full]
   

   Verify that the date of the signature is at most five days earlier than the latest version: 2019-07-09.

   Se l'output include anche:

   gpg: WARNING: This key is not certified with a trusted signature!
   gpg: There is no indication that the signature belongs to the owner.
   

   Then the image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

The verification techniques that we present (browser extension, BitTorrent, or OpenPGP verification) all rely on some information being securely downloaded using HTTPS from our website:

• La checksum per l'estensione Firefox
• Il file Torrent per BitTorrent
• The Tails signing key for OpenPGP verification

It is possible that you could download malicious information if our website is compromised or if you are a victim of a man-in-the-middle attack.

OpenPGP verification is the only technique that protects you if our website is compromised or if you are a victim of a man-in-the-middle attack. But, for that you need to authenticate the Tails signing key through the OpenPGP Web of Trust.

One of the inherent problems of standard HTTPS is that the trust put in a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by your web browser vendor. This model of trust has long been criticized and proved several times to be vulnerable to attacks as explained on our warning page.

Noi pensiamo che, invece, gli utilizzatori dovrebbero avere la parola finale sulla fiducia verso un sito internet, e che la fiducia vada riposta sulla base di interazioni umane.

The OpenPGP Web of Trust is a decentralized trust model based on OpenPGP keys that can help with solving this problem. Let's see this with an example:

1. You are friends with Alice and you really trust her way of making sure that OpenPGP keys actually belong to their owners.
2. Alice met Bob, a Tails developer, in a conference and certified Bob's key as actually belonging to Bob.
3. Bob is a Tails developer who directly owns the Tails signing key. So, Bob has certified the Tails signing key as actually belonging to Tails.

In this scenario, you found, through Alice and Bob, a path to trust the Tails signing key without the need to rely on certificate authorities.

Affidarsi alla Web of Trust richiede sia cautela che supervisione intelligente da parte degli utilizzatori. I dettagli tecnici sono al di fuori degli scopi di questo documento.

Since the Web of Trust is based on actual human relationships and real-life interactions, it is best to get in touch with people knowledgeable about OpenPGP and build trust relationships in order to find your own trust path to the Tails signing key.

Per esempio, puoi iniziare contattando un Linux User Group, un'organizzazione che offra training su Tails, o altri entusiasti di Tails vicino a te e scambiare informazioni sulle loro pratiche OpenPGP.