A pre-script downloads and excecute this tails dowloadscript every time
the user wants to upgrade:
rm tails.iso
/usr/local/sbin/download.sh
https://tails.osuosl.org/stable/tails-amd64-4.0/tails-amd64-4.0.iso
rm *sig
rm tails-signing.key
wget
https://tails.boum.org/torrents/files/tails-amd64-4.0.iso.sig
wget
https://tails.boum.org/tails-signing.key
gpg --import tails-signing.key
TZ=UTC gpg --no-options --keyid-format long --verify
/iso/tails-amd64-4.0.iso.sig /iso/tails-amd64-4.0.iso
if [ $? -eq 0 ]
then
yad --width=380 --title "**Iso verified**" --text "Tails Iso is
verified, use ubu-live to start tails session" --button="OK" --timeout=5
mv /iso/tails-amd64-4.0.iso /iso/tails.iso
else
yad --width=220 --title "**Iso not verified**" --text "Iso is not
verified" --button="OK"
fi
Every time a new version comes out, i have to edit this script to the
correct versions.
gd
Op 20/10/19 om 19:15 schreef intrigeri:
> Hi,
>
> linux-service:
>> This gives me a verified iso:
> Sure.
>
> Some drawbacks include:
>
> - The "3.16" bits have to come from somewhere that can be trusted.
>
> - Depending on the environment this script is run in, you may be
> trusting only our current signing key, or our current signing key
> and older ones, or any key in the user's keyring.
>
> - Any ISO image that got signed by one of the aforementioned keys
> will pass this verification. So the mirror you're using could send
> users an old ISO and the script would still be happy. It has
> happened in the past that our Upgrader was broken in a Tails
> release, so this may lead to users running a dangerously obsolete
> Tails without noticing.
>
> So yeah, automated installers and upgraders are a hard problem :/
>
> Cheers,
