Re: [Tails-dev] download and boot tails iso

Delete this message

Reply to this message
Author: linux-service
To: tails-dev
Subject: Re: [Tails-dev] download and boot tails iso
A pre-script downloads and excecute this tails dowloadscript every time
the user wants to upgrade:

rm tails.iso
rm *sig
rm tails-signing.key
gpg --import tails-signing.key
TZ=UTC gpg --no-options --keyid-format long --verify
/iso/tails-amd64-4.0.iso.sig /iso/tails-amd64-4.0.iso
if [ $? -eq 0 ]
    yad  --width=380  --title "**Iso verified**" --text "Tails Iso is
verified, use ubu-live to start tails session"  --button="OK" --timeout=5
mv /iso/tails-amd64-4.0.iso /iso/tails.iso
    yad  --width=220  --title "**Iso not verified**" --text "Iso is not
verified"  --button="OK"

Every time a new version comes out, i have to edit this script to the
correct versions.


Op 20/10/19 om 19:15 schreef intrigeri:
> Hi,
> linux-service:
>> This gives me a verified iso:
> Sure.
> Some drawbacks include:
> - The "3.16" bits have to come from somewhere that can be trusted.
>   - Depending on the environment this script is run in, you may be
>     trusting only our current signing key, or our current signing key
>     and older ones, or any key in the user's keyring.

>   - Any ISO image that got signed by one of the aforementioned keys
>     will pass this verification. So the mirror you're using could send
>     users an old ISO and the script would still be happy. It has
>     happened in the past that our Upgrader was broken in a Tails
>     release, so this may lead to users running a dangerously obsolete
>     Tails without noticing.

> So yeah, automated installers and upgraders are a hard problem :/
> Cheers,