Verifying a USB flash drive contains an authentic copy of Tails

We have a set of procedures to ensure that every flash drive we ship contains a legitimate and verified copy of Tails. You can find our full procedures for making a flash drive online. However we want to take this a step further and enable our customers to quickly and somewhat easily verify that a USB flash drive received also contains an authentic copy of Tails. Thus, here are the directions to authenticate the contents of a flash drive already containing a copy of Tails.

1. Open terminal

Menu > Administration > Terminal

2. Enter the commands below followed by tapping the enter key to change to the Downloads folder

cd Downloads

3. Next make a directory for tails and change to the tails folder

mkdir tails
cd tails

4. Download signature and signing key from https://tails.boum.org:

Note: Go to Install Tails > Linux and scroll down to Verify your download and click the OpenPGP signature link for signature and signing key

wget https://tails.boum.org/tails-signing.key
gpg --import < tails-signing.key

Example output:

gpg: key DBB802B258ACD84F: 2172 signatures not checked due to missing keys
gpg: key DBB802B258ACD84F: "Tails developers " 5 new signatures
gpg: Total number processed: 1
gpg: new signatures: 5
gpg: no ultimately trusted keys found

Note: You don't have to worry about no ultimately trusted keys found message, we'll verify this in a moment via another means

5. Download and verify signature for tails image

wget https://tails.boum.org/torrents/files/tails-amd64-5.9.img.sig

6. Install the Debian keyring. It contains the OpenPGP keys of all Debian developers.

sudo apt update && sudo apt install debian-keyring

7. Import the OpenPGP key of Chris Lamb, a former Debian Project Leader, from the Debian keyring into your keyring.

gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import

8. Verify the certifications made on the Tails signing key.

gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F

In the output of this command, look for the following line:

sig! 0x1E953E27D4311E58 2020-03-19 Chris Lamb

Note: Here, sig!, with an exclamation mark, means that Chris Lamb verified and certified the Tails signing key with his key.

Note: If the verification of the certification failed, then you might have downloaded a malicious version of the Tails signing key

9. Certify the Tails signing key with your own key

gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F

10. Make sure that the USB stick on which contains Tails is unplugged and then run the command below

ls -1 /dev/sd?

Example output:

/dev/sda

Note. Notice in the above output there is an internal drive shown as we currently have no USB flash drives plugged into the system

11. Now plug in your USB flash drive and run the command again:

ls -1 /dev/sd?

Example output:

/dev/sda
/dev/sdb

12. Since we identified /dev/sda is an internal drive the USB flash drive must be /dev/sdb, but you can verify this based on the size of the drive printed roughly matches that of the output from the below command

sudo fdisk -l /dev/sdb

Example output:

[sudo] password for think:
Disk /dev/sdb: 59.75 GiB, 64160400896 bytes, 125313283 sectors
Disk model: Flash Drive
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device Boot Start End Sectors Size Id Type
/dev/sdb1 128 125313250 125313123 59.8G 7 HPFS/NTFS/exFAT

Notice that the /dev/sdb drive is 59.75GB which is approximately what the USB flash drive has printed on it (64GB). Thus this is the right drive assuming we don't have multiple drives in the system of a similar size.

13. We need to identify the size of the Tails image. Open a browser and go to https://tails.boum.org/ > Install Tails > Linux and scroll down to Download Tails button. Right click and copy the link. Replace the link below with your copy.

curl -s -L -I https://download.tails.net/tails/stable/tails-amd64-5.9/tails-amd64-5.9.img | grep 'content-length\|Content-Length'

Example output:

Content-Length: 1342177280

14. We are going to verify the written data matches the signature from the Tails developers using the following command, but replacing the number 1342177280 with the output you got from step 13 and /dev/sdb with your flash drive from step 12

sudo head -c 1342177280 /dev/sdb | TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.9.img.sig -

Note: You will want to check that the output says Good signature from the tails developers

Note: The WARNING: about the signature not being certified is normal and nothing to worry about, it just means you haven't met the Tails developers, but we have verified that the Debian developers certified the Tails developers signing key

Note: The date of the signature is recent, an outdated signature could mean that the version of Tails you have is older and full of security issues and not the version you think it is claiming to be. New Versions of Tails are released regularly. If it's more than a handful of months old you may have a security problem.