[sf-lug] most of my iso files are stashed
Rick Moen
rick at linuxmafia.com
Thu Nov 16 12:38:20 PST 2017
Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> I gave up on copying TAILS but there is a new version available.
> The complex .sig files and the lack of easily accessible checksums
> seem to defeat the security if I am downloading and copying
> the files. I will get it if someone wants TAILS but they will
> have to do the checksums and signature authentications.
Good for you, for bothering to check not just checksums but also gpg
signatures. I am gathering from
https://tails.boum.org/install/download/openpgp/index.en.html that the
Tails developers do a cryptographic signature of the ISO directly rather
than signing a checksum file. And thus, you can vet the ISO using gpg.
https://tails.boum.org/install/download/openpgp/index.en.html
They say that if you're torrenting the ISO, the BitTorrent client vets
the received pieces against a crypto signature in the torrent file:
https://tails.boum.org/install/download/index.en.html
Of course, all of this hinges on the authenticity of your copy of the
Tails signing key -- so, if you're maximally concerned you would want
to check attestations of that key via OpenPGP web of trust:
https://tails.boum.org/install/download/openpgp/index.en.html#wot
(As always, this web of trust can work only if you've participated in
keysignings such that a valid chain of signatures from yours to the
developer signing key exists.)
More information about the sf-lug
mailing list