Our Authentication & Quality Assurance Procedure For Creating Tails Media

Our Authentication & Quality Assurance Procedure For Creating Tails Media

1. Open terminal

Mint Menu > Administration > Terminal

2. Enter the commands below followed by tapping the enter key to change to the Downloads folder

cd Downloads

3. Next make a directory for tails and change to the tails folder

mkdir tails
cd tails

4. Now download tails using the wget command:

(https://tails.boum.org/ > Install Tails > Linux > right click and copy link for Download Tails x.xx USB image)

wget https://download.tails.net/tails/stable/tails-amd64-5.9/tails-amd64-5.9.img

5. Use the ls command to see what is in the folder


Example output:


6. Download signature and signing key from https://tails.boum.org:

Note: Go to Install Tails > Linux and scroll down to Verify your download and click the OpenPGP signature link for signature and signing key

wget https://tails.boum.org/tails-signing.key
gpg --import < tails-signing.key

Example output:

gpg: key DBB802B258ACD84F: 2172 signatures not checked due to missing keys
gpg: key DBB802B258ACD84F: "Tails developers " 5 new signatures
gpg: Total number processed: 1
gpg: new signatures: 5
gpg: no ultimately trusted keys found

Note: You don't have to worry about no ultimately trusted keys found message, we'll verify this in a moment via another means

7. Download and verify signature for tails image

wget https://tails.boum.org/torrents/files/tails-amd64-5.9.img.sig

8. Install the Debian keyring. It contains the OpenPGP keys of all Debian developers.

sudo apt update && sudo apt install debian-keyring

9. Import the OpenPGP key of Chris Lamb, a former Debian Project Leader, from the Debian keyring into your keyring.

gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import

10. Verify the certifications made on the Tails signing key.

gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F | grep Lamb

In the output of this command, look for the following line:

sig! 0x1E953E27D4311E58 2020-03-19 Chris Lamb

Note: Here, sig!, with an exclamation mark, means that Chris Lamb verified and certified the Tails signing key with his key.

Note: If the verification of the certification failed, then you might have downloaded a malicious version of the Tails signing key

11. Certify the Tails signing key with your own key

gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F

12. Verify that the USB image is signed by the Tails signing key:

TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.9.img.sig tails-amd64-5.9.img

Example output:

gpg: Signature made Mon 23 Jan 2023 12:30:07 PM UTC
gpg: using RSA key 753F901377A309F2731FA33F7BFBD2B902EE13D0
gpg: Good signature from "Tails developers " [unknown]
gpg: aka "Tails developers (offline long-term identity key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
Subkey fingerprint: 753F 9013 77A3 09F2 731F A33F 7BFB D2B9 02EE 13D0

Note: You will want to check that the output says Good signature from the tails developers

Note: The WARNING: about the signature not being certified is normal and nothing to worry about, it just means you haven't met the Tails developers, but we have verified that the Debian developers certified the Tails developers signing key

Note: The date of the signature is recent, an outdated signature could mean that the version of Tails you downloaded is older and full of security issues and not the version you think it is claiming to be. New Versions of Tails are released regularly. If it's more than a handful of months old you may have a security problem.

13. Make sure that the USB stick on which you want to install Tails is unplugged

ls -1 /dev/sd?

Example output:


Note. Notice in the above output there is a drive shown, this is the internal drive on the system, we DO NOT want to wipe it out by accident.

If you are unsure about the device name, you should stop proceeding or you risk overwriting any hard disk on the system.

14. Now plug in your USB flash drive and run the command again:

ls -1 /dev/sd?

Example output:


15. The new device /dev/sdb is out USB flash drive, more than likely. We're going to check the size and verify it matches what we plugged in to be extra cautious.

sudo fdisk -l /dev/sdb

Example output:

[sudo] password for think:
Disk /dev/sdb: 59.75 GiB, 64160400896 bytes, 125313283 sectors
Disk model: Flash Drive
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device Boot Start End Sectors Size Id Type
/dev/sdb1 128 125313250 125313123 59.8G 7 HPFS/NTFS/exFAT

Notice that the /dev/sdb drive is 59.75GB which is approximately what the USB flash drive has printed on it (64GB). Thus this is the right drive assuming we don't have multiple drives in the system of a similar size.

16. We're going to unmount the /dev/sdb1 to ensure we can reliably write an image to this flash drive

umount /dev/sdb1

17. Repeat the command and it should now show the flash drive is not mounted

Example output:

umount: /dev/sdb1: not mounted.

18. Replace FLASH_DRIVE_DEVICE in the command options below with your flash drive's location, so in our above example that was /dev/sdb, and tails-amd64-5.9.img with the version of tails you are writing.

sudo dd if=tails-amd64-5.9.img of=FLASH_DRIVE_DEVICE bs=16M oflag=direct status=progress

Example output:

1342177280 bytes (1.3 GB, 1.2 GiB) copied, 39 s, 34.4 MB/s
80+0 records in
80+0 records out
1342177280 bytes (1.3 GB, 1.2 GiB) copied, 39.0365 s, 34.4 MB/s

19. Run sync to make sure your data is synced to the flash drive


20. We need to get a hash or a fingerprint of the tails image to verify the data written to the disk. To get this run the following command.

sha256sum tails-amd64-5.9.img

Example output:

6e5ec07352155940191e1c522281cc508358ea67a293e5a764316caa42c2c330 tails-amd64-5.9.img

21. Identify the size of the img image using the stat command

stat -c '%s' tails-amd64-5.9.img

Example output:


21. The above output, 1342177280, is the number of bytes of the tails image. We can use this to read this many bytes from the image written to disk and get a fingerprint or hash to compare against that what should have been written. This will pick up on a faulty flash drive. Make sure to replace 1342177280 with that of your image from stat command above and the drive /dev/sdb with that of your flash drive.

sudo head -c 1342177280 /dev/sdb | sha256sum

Example output:

6e5ec07352155940191e1c522281cc508358ea67a293e5a764316caa42c2c330 -

If the line above matches the output of the hash in step 20 then the data was successfully written to the flash drive and no corruption occurred. This QA ensures a reliable install medium.

That's it! Authenticated and verified quality installation media produced.