Re: [Tails-dev] download and boot tails iso

Delete this message

Reply to this message
Autor: linux-service
Data:  
A: tails-dev
Assumpte: Re: [Tails-dev] download and boot tails iso
A pre-script downloads and excecute this tails dowloadscript every time
the user wants to upgrade:

rm tails.iso
/usr/local/sbin/download.sh
https://tails.osuosl.org/stable/tails-amd64-4.0/tails-amd64-4.0.iso
rm *sig
rm tails-signing.key
wget https://tails.boum.org/torrents/files/tails-amd64-4.0.iso.sig
wget https://tails.boum.org/tails-signing.key
gpg --import tails-signing.key
TZ=UTC gpg --no-options --keyid-format long --verify
/iso/tails-amd64-4.0.iso.sig /iso/tails-amd64-4.0.iso
if [ $? -eq 0 ]
then
    yad  --width=380  --title "**Iso verified**" --text "Tails Iso is
verified, use ubu-live to start tails session"  --button="OK" --timeout=5
mv /iso/tails-amd64-4.0.iso /iso/tails.iso
else
    yad  --width=220  --title "**Iso not verified**" --text "Iso is not
verified"  --button="OK"
fi


Every time a new version comes out, i have to edit this script to the
correct versions.


gd

Op 20/10/19 om 19:15 schreef intrigeri:
> Hi,
>
> linux-service:
>> This gives me a verified iso:
> Sure.
>
> Some drawbacks include:
>
> - The "3.16" bits have to come from somewhere that can be trusted.
>
>   - Depending on the environment this script is run in, you may be
>     trusting only our current signing key, or our current signing key
>     and older ones, or any key in the user's keyring.

>
>   - Any ISO image that got signed by one of the aforementioned keys
>     will pass this verification. So the mirror you're using could send
>     users an old ISO and the script would still be happy. It has
>     happened in the past that our Upgrader was broken in a Tails
>     release, so this may lead to users running a dangerously obsolete
>     Tails without noticing.

>
> So yeah, automated installers and upgraders are a hard problem :/
>
> Cheers,