Feature #12630

Feature #5630: Reproducible builds

Document how users can verify a reproducibly built ISO/IUK

Added by u about 2 months ago. Updated 19 days ago.

Status:In ProgressStart date:06/02/2017
Priority:NormalDue date:
Assignee:anonym% Done:

10%

Category:-
Target version:Tails_3.2
QA Check:Ready for QA Blueprint:
Feature Branch:451f:tailsfeature/12630+reproducible_build_verify Easy:
Type of work:Contributors documentation Affected tool:

Related issues

Related to Tails - Feature #12626: Design doc for reproducible builds Confirmed 05/31/2017
Related to Tails - Bug #12645: FAQ: Explain why we don't give a SHA of the ISO image Confirmed 06/06/2017

History

#1 Updated by u about 2 months ago

  • Assignee set to u

Notes

- download our .sig and verify it against your own build
- when someone reproducibly builds our .iso they have a file that is exactly the same as ours, which the .sig will verify for them
- there's a way to extract the SHA from the .sig.
- the SHAAA is already in IDFs and UDFs

#2 Updated by intrigeri about 2 months ago

- download our .sig and verify it against your own build

This won't work for IUKs though, but their SHA is available in our UDFs.

#3 Updated by u about 1 month ago

  • Feature Branch set to 451f:tailsfeature/12630+reproducible_build_verify

#4 Updated by u about 1 month ago

  • Status changed from Confirmed to In Progress

#5 Updated by u about 1 month ago

  • Assignee changed from u to intrigeri
  • QA Check set to Ready for QA

I added a page about this and would love someone from the foundations team to verify what I wrote and improve on it. Tentatively assigning to intrigeri.

  • I don't know how to verify an IUK so this part is missing
  • Is there an archive of our OpenPGP signatures so that people can verify older builds in the future?
  • Is there an archive of our IDFs/SHAsums so that people can verify older builds in the future?

You can also reassign this to me if you think there is too much information missing.

#6 Updated by u about 1 month ago

#7 Updated by u about 1 month ago

  • Assignee changed from intrigeri to anonym

Actually, as anonym is supposed to write the design doc, this might be more suitable to have a review from him instead.

#8 Updated by intrigeri about 1 month ago

  • Target version set to Tails_3.1
  • % Done changed from 0 to 10

#9 Updated by intrigeri about 1 month ago

  • Is there an archive of our OpenPGP signatures so that people can verify older builds in the future?
  • Is there an archive of our IDFs/SHAsums so that people can verify older builds in the future?

There's no such archive but enabling people to verify old releases is not part of our goals IIRC. I think we've set up things so that only the last release (and perhaps the one before if you're lucky) can be verified. The blueprint might have clearer statements about this.

#10 Updated by u 28 days ago

  • Related to Bug #12645: FAQ: Explain why we don't give a SHA of the ISO image added

#11 Updated by anonym 19 days ago

  • Target version changed from Tails_3.1 to Tails_3.2

Also available in: Atom PDF