1 [[!meta title="Verification of Tails reproducibility"]]
5 After accepting to be the Trusted Verifier you should have been
6 instructed to go here immediately and read the "Preparation"
7 section. For a planned release you should be doing this weeks before
8 the release you are about to reproduce; for emergency releases you
9 likely only have days or even hours. If you were not, please file a
10 ticket about this, since an important part of process must have been
17 <a id="preparation"></a>
19 # Preparation (when accepting to be the Trusted Verifier)
21 Use whatever scheduling tool you prefer to make sure you will, on your
22 own initiative, return to this document and follow it within 72 hours
23 from the start of the manual testing session. In particular, do not
24 trust anything said by the RM about this process.
28 ## Inputs from the release process
30 Look at the "Environment" section at the beginning of [[the release
31 process instructions|contribute/release_process]] and set the
32 following variables as instructed:
42 Now for the only tricky part, setting `IUK_SOURCE_VERSIONS`. It should
43 simply list the old Tails versions that will get an automatic upgrade
44 to the current release, and should be set correctly by this command
47 IUK_SOURCE_VERSIONS="$(
48 curl "http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/" \
49 | grep --extended-regexp --only-matching \
50 "Tails_amd64_[^_]+_to_${VERSION:?}.iuk" \
55 echo -e "Got these IUK source versions:\n${IUK_SOURCE_VERSIONS}"
57 Now sanity check the contents of `IUK_SOURCE_VERSIONS`:
59 * If empty, the RM has probably not uploaded them yet so you may have
61 * make sure each listed version actually has been released! :)
62 * [[Figure out the rules for how to set this
63 variable|contribute/release_process/#prepare-iuk]] and double-check
64 that it makes sense! Note that exceptions happen (e.g. there could
65 be a bug in some old versions upgrader so we skip it).
66 * If the release notes have already been written (generally there is a
67 ticket about it) it should list which versions
69 ## Inputs from the testing pad
71 In the "Reproducibility" section of the testing pad you'll find
72 clear-signed hashes for all products of this release. Verify the
73 signature, and put the hashes (excluding the OpenPGP signature data)
74 into a file called `SHA512SUMS.txt`.
78 Set these environment variables accordingly:
80 * `ISOS_CHECKOUT`: path to your Tails ISO history repo checout.
81 * `PACKAGES_FILE`: path to the `.packages` file for this release
82 (should be attached to the "Testing Tails `$VERSION`" email you have
84 * `PUBLISHED_ARTIFACTS`: some _new_ directory where you can download
86 * `SHA512SUMS`: the path of the `SHA512SUMS.txt` file from above.
87 * `TAILS_CHECKOUT`: path to your Tails Git repo checkout.
89 ## Derived environment variables
91 cd "${TAILS_CHECKOUT:?}" && \
92 TAG="$(echo $VERSION | tr '~' '-')" && \
93 TAG_COMMIT="$(git rev-parse --verify ${TAG:?})" && \
95 git checkout "${RELEASE_BRANCH:?}" && \
96 git merge "origin/${RELEASE_BRANCH:?}" && \
97 PERL5LIB_VERSION="$(awk '/^tails-perl5lib\s/ { print $2 }' "${PACKAGES_FILE:?}")" && \
98 if [ -z "${PERL5LIB_VERSION}" ]; then
99 echo 'Failed to determine PERL5LIB_VERSION, aborting' && \
102 PERL5LIB_CHECKOUT_TAG="debian/${PERL5LIB_VERSION}" && \
103 IUK_VERSION="$(awk '/^tails-iuk\s/ { print $2 }' "${PACKAGES_FILE:?}")" && \
104 if [ -z "${IUK_VERSION}" ]; then
105 echo 'Failed to determine IUK_VERSION, aborting' && \
108 IUK_CHECKOUT_TAG="debian/${IUK_VERSION}"
110 # Download published products
112 mkdir -p "${PUBLISHED_ARTIFACTS:?}" && \
113 cd "${PUBLISHED_ARTIFACTS:?}" && \
114 mkdir tails-amd64-${VERSION:?} && \
115 cd tails-amd64-${VERSION:?} && \
116 wget http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso && \
118 for old_version in ${IUK_SOURCE_VERSIONS}; do
119 wget http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_${VERSION:?}.iuk
122 # Obtain needed old Tails releases
124 cd "${ISOS_CHECKOUT:?}" && \
126 for old_version in ${IUK_SOURCE_VERSIONS:?}; do
127 tails_dir="tails-amd64-${old_version}" && \
128 if [ ! -d "${ISOS:?}/${tails_dir}" ]; then
129 git annex get "${tails_dir}" && \
130 cp --dereference --recursive "${tails_dir}" "${ISOS:?}"
134 # Refresh iuk and perl5lib Git repos
136 cd "${PERL5LIB_CHECKOUT:?}" && \
138 git checkout "${PERL5LIB_CHECKOUT_TAG:?}" && \
139 cd "${IUK_CHECKOUT:?}" && \
141 git checkout "${IUK_CHECKOUT_TAG:?}"
145 ## Fetch and verify the Git tag
147 cd "${TAILS_CHECKOUT:?}" && \
148 git fetch origin "${TAG}" && \
151 * If the last output is a "Good signature" for the expected tag, made by
152 Tails signing key, then we are good.
154 * Otherwise, if you see _anything_ else, we're _not_ good; immediately
155 contact the RM and tails@! Proceeding with the rest of the steps
156 are pointless in this case, so await instruction.
158 ## Reproduce the image
160 cd "${TAILS_CHECKOUT:?}" && \
161 git checkout "${TAG:?}" && \
162 git submodule update --init && \
163 export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
165 mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
166 mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
167 "${ISOS:?}/tails-amd64-${VERSION:?}/"
171 Follow the [[Build the Incremental Upgrade
172 Kits|contribute/release_process/#prepare-iuk]] instructions. Note that
173 the value of `SOURCE_DATE_EPOCH` set above is needed!
177 If there is *any* type of mismatch at some point below, let the RM and
178 tails@ know *immediately*!
180 ## Verify your products
183 sha512sum -c "${SHA512SUMS:?}"
185 ## Verify published products
187 cd "${PUBLISHED_ARTIFACTS:?}" && \
188 sha512sum -c "${SHA512SUMS:?}"
192 Examine the IDF by running:
194 curl https://tails.boum.org/install/v1/Tails/amd64/${DIST:?}/latest.yml
198 * the `url` value is the expected ISO image URL, i.e.:
200 http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-$VERSION/tails-amd64-$VERSION.iso
202 * the `sha256` value is the `SHA-256` you get from your image (with
205 * the `size` value is the number of bytes of your image.
209 Examine each UDF by running:
211 for old_version in ${IUK_SOURCE_VERSIONS}; do
212 url=https://tails.boum.org/upgrade/v1/Tails/${old_version}/amd64/${DIST:?}/upgrades.yml
214 echo "Looking at '${url}':"
216 curl --silent --show-error ${url}
220 and checking that there are either one or two `target-files`
221 entries, where `type: full` means a full upgrade (so it refers to
222 the ISO image) and `type: incremental` means an incremental upgrade
223 (so it refers to a IUK). Verify
227 http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_$$VERSION.iuk
229 * the `sha256` and `size` values just like you did for the IDF previously.