Verifying Tails ISO

Shell Scripting & Linux Command Line
1

Hi all, :wave:

I´ve downloaded Tails (“Running Tails in a virtual machine”) here: Tails - Running Tails in a virtual machine .

The download was 1.1 GB in size and I got “tails-amd64-4.23.iso”.
That went well and as a next step I wanted to verify the downloaded ISO. :neutral_face:

The instructions on the page (see above) were “Verify your download”.

What I wanted to do was :

gpg --verify tails-amd64-4.23.iso.sig

after having downloaded the signature. I.e. I wanted to download it but failed. :frowning_face:

Believe it or not - it just so happened that the Tails people updated the Tails ISO to the latest version tails-amd64-4.24.iso. Just now!!! :hushed:

On Index of /torrents/files/ there are only the various “[…].24” files left. :exclamation:

So I reverted to wayback machine and indeed found what I was looking for here:

https://web.archive.org/web/20211019131527/https://tails.boum.org/torrents/files/tails-amd64-4.23.iso.sig .

Phew, that was quite something. :wink: :blush:

So at least I´ve got the correct signature, but I´m still stuck at this point:

gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNING: unsafe permissions on homedir '/home/rosika/.gnupg'
gpg: assuming signed data in 'tails-amd64-4.23.iso'
gpg: Signature made Di 05 Okt 2021 09:44:08 CEST
gpg:                using EDDSA key CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Can't check signature: No public key

So the issue seems to be that the respective public key hasn´t been imported into my keyring yet. :thinking:

Does anyone have any ideas on how to proceed now?

Many thanks in advance and many greetings.
Rosika :slightly_smiling_face:

1 Like
2

https://tails.boum.org/tails-signing.key

That’s the signing key that is used for their released images.

https://tails.boum.org/doc/about/openpgp_keys/index.en.html#index2h1

Now, all you need to do is to import the public key, before attempting to verify your downloaded image.

1 Like
3

Hi @Akito and thanks so much for your kind help once more, :wave:

yesterday I was on the the tails site with the instructions which you kindly provided but wasn´t too sure about the correct proceedings all the same. :blush:

So you helped a lot indeed. Thanks so much. :heart:

Hopefully I´ve done it right now.
I proceeded thus:

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> file tails-signing.key # just for me to show the file-type
tails-signing.key: PGP public key block Public-Key (old)

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --show-keys tails-signing.key 
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
pub   rsa4096 2015-01-18 [C] [verfällt: 2023-01-07]
      A490D0F4D311A4153E2BB7CADBB802B258ACD84F # this correlates with the values for public fingerprint on the tails site
uid                      Tails developers (offline long-term identity key) <tails@boum.org>
uid                      Tails developers <tails@boum.org>
sub   rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub   rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub   rsa4096 2015-01-18 [S] [widerrufen: 2015-10-29]
sub   rsa4096 2016-08-30 [S] [verfallen: 2018-01-11]
sub   rsa4096 2017-08-28 [S] [verfällt: 2023-01-07]
sub   rsa4096 2017-08-28 [S] [widerrufen: 2020-05-29]
sub   ed25519 2017-08-28 [S] [verfällt: 2023-01-07]
sub   rsa4096 2018-08-30 [S] [widerrufen: 2021-10-14]
sub   rsa4096 2021-10-14 [S] [verfällt: 2023-01-07]

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --import tails-signing.key 
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: key DBB802B258ACD84F: 2172 Beglaubigungen wegen fehlender Schlüssel nicht geprüft
gpg: Schlüssel DBB802B258ACD84F: Öffentlicher Schlüssel "Tails developers (offline long-term identity key) <tails@boum.org>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:               importiert: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   1  signiert:   0  Vertrauen: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-03-20

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: die unterzeichneten Daten sind wohl in 'tails-amd64-4.23.iso'
gpg: Signatur vom Di 05 Okt 2021 09:44:08 CEST
gpg:                mittels EDDSA-Schlüssel CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Korrekte Signatur von "Tails developers (offline long-term identity key) <tails@boum.org>" [unbekannt] # I guess that´s the iportant part, i.e. correct signature
gpg:                 alias "Tails developers <tails@boum.org>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Unter-Fingerabdruck  = CD4D 4351 AFA6 933F 574A  9AFB 90B2 B4BD 7AED 235F
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails>

Sorry that it´s all in German. I forgot to prepend the respective commands with LANG=en_US.UTF-8. :slightly_frowning_face:

Nevertheless I think (and hope) I´ve done it the right way.

Thanks again for your kind help, Akito. :kissing:

Many greetings from Rosika :slightly_smiling_face:

1 Like