compis
1
Why does tails use an .img installation file instead of an ISO? This would allow local SHA256 verification of the ISO instead of using the “select your download”, Tails - Install Tails from Linux to verify the download ?
1 Like
Hi,
Local verification of sha256 has nothing to do with it being a .img or an .iso file. You can check sha256 in both case. Tails (and TorBrowser, and many other security sensitive projects) prefer to use PGP over sha256 because it provides better security against downloads from a rogue (or hacked) mirror.
Tails actually has iso releases, they are linked from the guide to burn Tails on a DVD, which are signed the same way as .img releases.
If you don’t like the “select your download” way of verifying your download, you can use gpg to do the same locally. Tails thinks this provides little benefit for people who don’t already know about gpg, while TB (which has no such “verify my download” afaik) provides a guide on how to verify your download locally
4 Likes
Vort
3
Why does tails use an .img installation file instead of an ISO?
Because you were looking at instructions for USB drives.
Here are instructions for DVDs:
https://tails.net/install/dvd/index.en.html
3 Likes
compis
4
I am looking to use Tails on a USB. Th question still has not been answered as to why a .img file for USB instead of .ISO.
1 Like
You can ask questions about Tails in the XMPP chatroom.
https://tails.net/support/chat/index.en.html
1 Like
compis
6
This is a valid forum for tails.
2 Likes
Sure, then feel free to continue to wait around until someone answers your original question from over 2 months ago.
1 Like
It is strange that tails unike almost every other distro uses an .img and when verification is done after Tails is installed it has to be done from the tails web site installed of the user performing a check using sha256. Since a SHA256 is a simple calculation of a file which only produces one value it is an easy an popular method to validate any file. How does the tails site connect to a users computer and validate the file on the users machine?
1 Like
The user selects their image file with a prompt, then the website compares it using JavaScript against a SHA256 checksum from this URL:
https://tails.net/install/v2/Tails/amd64/stable/latest.json
If JavaScript is disabled, the website will mention manually comparing the SHA256 checksum using GtkHash, which can be installed in Tails as additional software:
Otherwise, you can also verify the image’s integrity using the OpenPGP signing key and the OpenPGP signature files of either the IMG or ISO. If the image was downloaded through a BitTorrent client, it is automatically verified with the included checksum file after the download is finished.
See also:
https://tails.net/contribute/design/download_verification/
2 Likes
compis
10
the user does not have the option to perform their own sha256 hash. Where is the sha256 values for tails?
1 Like
They are found at https://tails.net/install/v2/Tails/amd64/stable/latest.json. Here is the current output for the latest release of Tails:
{
"build_target": "amd64",
"channel": "stable",
"installations": [
{
"installation-paths": [
{
"target-files": [
{
"sha256": "81177ab73849b2a8d7a6d9a42867128f36be4fe5abd7920c126515be740eff23",
"size": 1474297856,
"url": "https://download.tails.net/tails/stable/tails-amd64-6.3/tails-amd64-6.3.img"
}
],
"type": "img"
},
{
"target-files": [
{
"sha256": "784f7dffd1aa8a8b8ceea0b1175c70b1c02a14ecf4077f85c30706e895e00422",
"size": 1464100864,
"url": "https://download.tails.net/tails/stable/tails-amd64-6.3/tails-amd64-6.3.iso"
}
],
"type": "iso"
}
],
"version": "6.3"
}
],
"product-name": "Tails"
}
As I have previously mentioned above your post, when JavaScript is disabled on the Tails website, it informs the user can manually verify the SHA256 checksum using GtkHash.
1 Like
