Skip to content

Draft how Tails Installer should trust the Tails signing key

How do we trust the signing key?

  • One possibility would be to TOFU. But on second use, how do we identify that the user has trusted the key once? => verify if we can change a key’s trust level without signing it.
  • Trust the Debian keyring.
    • installer needs to check if Tails signing key contains signatures from Debian keyring / Web of Trust. If not, how should it advertise the user that the key does not contain any signature which is also present in the keyring?
  • Research if our public signing key should be packaged with the tails-installer or could we create a package tails-keyring which would be a dependency of tails-installer?
    • In Windows version the key could be contained in the package directly.
    • Deb packages are signed by Debian keyring, which increases the level of trust.
    • having tails-keyring as independent package would allow for easier updating in case of revocation or changes.

Parent Task: #10315 (closed)

Original created by @u on 10317 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information