[sf-lug] most of my iso files are stashed

Rick Moen rick at linuxmafia.com
Thu Nov 16 12:38:20 PST 2017

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

>     I gave up on copying TAILS but there is a new version available.
> The complex .sig files and the lack of easily accessible checksums
> seem to defeat the security if I am downloading and copying
> the files.  I will get it if someone wants TAILS but they will
> have to do the checksums and signature authentications.

Good for you, for bothering to check not just checksums but also gpg
signatures.  I am gathering from
https://tails.boum.org/install/download/openpgp/index.en.html that the
Tails developers do a cryptographic signature of the ISO directly rather
than signing a checksum file.  And thus, you can vet the ISO using gpg.

They say that if you're torrenting the ISO, the BitTorrent client vets
the received pieces against a crypto signature in the torrent file:

Of course, all of this hinges on the authenticity of your copy of the
Tails signing key -- so, if you're maximally concerned you would want
to check attestations of that key via OpenPGP web of trust:
(As always, this web of trust can work only if you've participated in
keysignings such that a valid chain of signatures from yours to the
developer signing key exists.)

More information about the sf-lug mailing list