Merge pull request #4586 from freedomofpress/docs-keys-dot-openpgp-do…

…t-rodeo Update Admin Workstation setup instructions to use keys.openpgp.org
freedomofpress · Jul 3, 2019 · 3584f24 · 3584f24
2 parents eb55fcd + 6ebf31d
commit 3584f24
Showing 1 changed file with 51 additions and 34 deletions.
diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
@@ -61,55 +61,70 @@ Start by running the following commands to download the git repository.
 Verify the Release Tag
 ~~~~~~~~~~~~~~~~~~~~~~
 
-.. caution:: Do not skip this step as this steps validates the files
-             in your Git repository.
+.. important::
 
-First, download and verify the **SecureDrop Release Signing Key**.
+   It is crucial for the integrity of your installation that you carefully
+   follow the instructions below. By following these steps, you will verify
+   if your copy of the codebase has been approved by the SecureDrop
+   development team.
+
+Download and verify the **SecureDrop Release Signing Key** using the following
+command:
 
 .. code:: sh
 
-    gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
+   gpg --keyserver hkps://keys.openpgp.org --recv-key \
+    "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
+
+If you are not copy-pasting this command, we recommend you double-check you have
+entered it correctly before pressing enter. GPG will implicitly verify that the
+fingerprint of the key received matches the argument passed.
+
+.. _Tails is connected to Tor: https://tails.boum.org/doc/anonymous_internet/tor_status/index.en.html
 
-.. note:: It is important you type this out correctly. If you are not
-          copy-pasting this command, we recommend you double-check you have
-          entered it correctly before pressing enter.
+If GPG warns you that the fingerprint of the key received does not
+match the one requested, do **not** proceed with the installation. If this
+happens, please contact us at securedrop@freedom.press.
 
-.. tip:: If the ``--recv-key`` command fails, first double-check that
-   `Tails is connected to Tor`_.
+.. note::
 
-   Once you've confirmed that you're successfully connected to Tor, try
-   re-running the ``--recv-key`` command a few times. The default GPG
-   configuration on Tails uses a keyserver pool, which may occasionally return
-   a malfunctioning keyserver, causing the ``--recv-key`` command to fail.
+   If the ``--recv-key`` command fails, first double-check that
+   `Tails is connected to Tor`_. Once you've confirmed that you're successfully
+   connected to Tor, try re-running the ``--recv-key`` command a few times.
 
-   If the command is consistently failing after a few tries, it could
-   indicate that the default GPG key servers are down or unreachable. As a
-   workaround, another keyserver can be specified by adding the ``--keyserver``
-   option to the ``gpg --recv-key`` command. In our experience, the SKS HKPS
-   keyserver pool is usually a reliable alternative, so try:
+   If the command still fails, the *keys.openpgp.org* keyserver may be down.
+   In that case, we recommend downloading the key from the SecureDrop website:
 
    .. code:: sh
 
-      gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
+      cd ~/Persistent
+      torify curl -LO https://securedrop.org/securedrop-release-key.asc
 
-   Again, this is a keyserver pool, so you may need to retry the command a
-   couple of times before it succeeds.
+   Before importing it, inspect the key's fingerprint using the following
+   command. The ``--dry-run`` option ensures that the key is not imported just
+   yet:
 
-.. _Tails is connected to Tor: https://tails.boum.org/doc/anonymous_internet/tor_status/index.en.html
+   .. code:: sh
 
-When passing the full public key fingerprint to the ``--recv-key`` command, GPG
-will implicitly verify that the fingerprint of the key received matches the
-argument passed.
+      gpg --with-fingerprint --import-options import-show --dry-run \
+        --import securedrop-release-key.asc
 
-.. caution:: If GPG warns you that the fingerprint of the key received
-             does not match the one requested **do not** proceed with
-             the installation. If this happens, please email us at
-             securedrop@freedom.press.
+   Compare the fingerprint in the output with the fingerprint at the beginning
+   of this section. If the fingerprints match, you can safely import the key,
+   using the following command:
+
+   .. code:: sh
+
+      gpg --import securedrop-release-key.asc
+
+   If you encounter any difficulties verifying the integrity of the
+   release key, do **not** proceed with the installation. Instead, please
+   contact us at securedrop@freedom.press.
 
 .. _Checkout and Verify the Current Release Tag:
 
-Verify that the current release tag was signed with the release signing
-key:
+Once you have imported the release key, verify that the current release tag was
+signed with the release signing key:
 
 .. code:: sh
 
@@ -120,9 +135,11 @@ key:
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command along with the fingerprint above.
 
-.. caution:: If you do not, signature verification has failed and you
-             *should not* proceed with the installation. If this
-             happens, please contact us at securedrop@freedom.press.
+.. important::
+
+   If you do not see the message above, signature verification has failed
+   and you should **not** proceed with the installation. If this happens,
+   please contact us at securedrop@freedom.press.
 
 Create the Admin Passphrase Database
 ------------------------------------