Tails above the Rest: the Installation

Validate the Signature with sha256sum

Since Tails users need to care a bit more about security than the average user, you will need to go through the extra step of validating this signature. Depending on how paranoid you are, there are a few ways you can go about this. The simplest way is to attempt to download the signature file from multiple computers that are in different locations (and even in different countries if you can swing that; see my "Raspberry Strudel: My Raspberry Pi in Austria" article in the February 2013 issue about one method of colocating a Raspberry Pi in another country). Then, confirm that all of the checksums match. The idea here is that even if someone were able to perform a MITM attack or otherwise compromise your home computer or home Internet connection, it would be much more difficult also to compromise the connection at a public computer at a library, all the computers your friends use and the computer you have at work. With this in mind, simply download as many different copies of the signature file from as many different locations you can, and then use a tool like sha256sum (like md5sum, just using a different algorithm) to compare the checksum of all the files to make sure they are all the same:


$ sha256sum tails-i386-0.22.iso.sig 
4578929f419d7f4bc99b99ec17a6c0ff3936c5bb02938d3940bac2b93580383b  
 ↪tails-i386-0.22.iso.sig

In fact, if you are downloading the same version of Tails as I'm mentioning in this article, you even could use the signature published here as an extra point to compare against.

Note: if you are truly paranoid, you also can use GPG to validate further that this signature was created with the actual Tails signing key by taking advantage of the fact that the Tails maintainer has gotten the signing key signed by a number of Debian maintainers. This process is a little more involved, but if you want to go that route, it is well-documented at https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html#index3h1.

Validate the ISO with GPG

Once you have validated the signature, you can use it to validate the ISO. First, you need to download the public part of the signing key that was used for this signature from https://tails.boum.org/tails-signing.key. Once you have that signing key, import it into your GPG keyring:


$ cat tails-signing.key | gpg --keyid-format long --import
gpg: key 1202821CBE2CD9C1: public key "Tails developers 
 ↪(signing key) <tails@boum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

With the signing key imported, you now can verify the ISO image with GPG:


$ gpg --keyid-format long --verify tails-i386-0.22.iso.sig 
 ↪tails-i386-0.22.iso

If you have added the signing key to your keyring, you will get a reply like:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"
gpg:                 aka "T(A)ILS developers (signing key) 
     ↪<amnesia@boum.org>"
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 
 ↪1202 821C BE2C D9C1

Otherwise, you will more likely see the following output:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"
gpg:                 aka "T(A)ILS developers (signing key) 
     ↪<amnesia@boum.org>"
gpg: WARNING: This key is not certified with a trusted 
               ↪signature!
gpg:          There is no indication that the signature 
               ↪belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 
 ↪1202 821C BE2C D9C1

Either output means the signature matched, and you have the legitimate ISO. The warning in the second reply simply means you haven't personally signed the Tails signing key with your own key, so it's not part of your web of trust.

The following reply is one to look out for. If you see this, it means the ISO was not correct and either downloaded incorrectly or was tampered with and can't be trusted:


gpg: Signature made Mon 09 Dec 2013 02:50:48 PM PST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: BAD signature from "Tails developers (signing key) 
     ↪<tails@boum.org>"

______________________

Kyle Rankin is a director of engineering operations in the San Francisco Bay Area, the author of a number of books including DevOps Troubleshooting and The Official Ubuntu Server Book, and is a columnist for Linux Journal.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState