Verifying Tails ISO

Hi all, :wave:

I´ve downloaded Tails (“Running Tails in a virtual machine”) here: Tails - Running Tails in a virtual machine .

The download was 1.1 GB in size and I got “tails-amd64-4.23.iso”.
That went well and as a next step I wanted to verify the downloaded ISO. :neutral_face:

The instructions on the page (see above) were “Verify your download”.

What I wanted to do was :

gpg --verify tails-amd64-4.23.iso.sig

after having downloaded the signature. I.e. I wanted to download it but failed. :frowning_face:

Believe it or not - it just so happened that the Tails people updated the Tails ISO to the latest version tails-amd64-4.24.iso. Just now!!! :hushed:

On Index of /torrents/files/ there are only the various “[…].24” files left. :exclamation:

So I reverted to wayback machine and indeed found what I was looking for here: .

Phew, that was quite something. :wink: :blush:

So at least I´ve got the correct signature, but I´m still stuck at this point:

gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNING: unsafe permissions on homedir '/home/rosika/.gnupg'
gpg: assuming signed data in 'tails-amd64-4.23.iso'
gpg: Signature made Di 05 Okt 2021 09:44:08 CEST
gpg:                using EDDSA key CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Can't check signature: No public key

So the issue seems to be that the respective public key hasn´t been imported into my keyring yet. :thinking:

Does anyone have any ideas on how to proceed now?

Many thanks in advance and many greetings.
Rosika :slightly_smiling_face:

1 Like

That’s the signing key that is used for their released images.

Now, all you need to do is to import the public key, before attempting to verify your downloaded image.

1 Like

Hi @Akito and thanks so much for your kind help once more, :wave:

yesterday I was on the the tails site with the instructions which you kindly provided but wasn´t too sure about the correct proceedings all the same. :blush:

So you helped a lot indeed. Thanks so much. :heart:

Hopefully I´ve done it right now.
I proceeded thus:

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> file tails-signing.key # just for me to show the file-type
tails-signing.key: PGP public key block Public-Key (old)

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --show-keys tails-signing.key 
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
pub   rsa4096 2015-01-18 [C] [verfällt: 2023-01-07]
      A490D0F4D311A4153E2BB7CADBB802B258ACD84F # this correlates with the values for public fingerprint on the tails site
uid                      Tails developers (offline long-term identity key) <>
uid                      Tails developers <>
sub   rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub   rsa4096 2015-01-18 [S] [verfallen: 2018-01-11]
sub   rsa4096 2015-01-18 [S] [widerrufen: 2015-10-29]
sub   rsa4096 2016-08-30 [S] [verfallen: 2018-01-11]
sub   rsa4096 2017-08-28 [S] [verfällt: 2023-01-07]
sub   rsa4096 2017-08-28 [S] [widerrufen: 2020-05-29]
sub   ed25519 2017-08-28 [S] [verfällt: 2023-01-07]
sub   rsa4096 2018-08-30 [S] [widerrufen: 2021-10-14]
sub   rsa4096 2021-10-14 [S] [verfällt: 2023-01-07]

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --import tails-signing.key 
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: key DBB802B258ACD84F: 2172 Beglaubigungen wegen fehlender Schlüssel nicht geprüft
gpg: Schlüssel DBB802B258ACD84F: Öffentlicher Schlüssel "Tails developers (offline long-term identity key) <>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:               importiert: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   1  signiert:   0  Vertrauen: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-03-20

rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails> gpg --verify tails-amd64-4.23.iso.sig
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/rosika/.gnupg'
gpg: die unterzeichneten Daten sind wohl in 'tails-amd64-4.23.iso'
gpg: Signatur vom Di 05 Okt 2021 09:44:08 CEST
gpg:                mittels EDDSA-Schlüssel CD4D4351AFA6933F574A9AFB90B2B4BD7AED235F
gpg: Korrekte Signatur von "Tails developers (offline long-term identity key) <>" [unbekannt] # I guess that´s the iportant part, i.e. correct signature
gpg:                 alias "Tails developers <>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Unter-Fingerabdruck  = CD4D 4351 AFA6 933F 574A  9AFB 90B2 B4BD 7AED 235F
rosika@rosika-10159 /m/r/W/U/r/D/n/für_tails>

Sorry that it´s all in German. I forgot to prepend the respective commands with LANG=en_US.UTF-8. :slightly_frowning_face:

Nevertheless I think (and hope) I´ve done it the right way.

Thanks again for your kind help, Akito. :kissing:

Many greetings from Rosika :slightly_smiling_face:

1 Like