Tails installation using img

Why does tails use an .img installation file instead of an ISO? This would allow local SHA256 verification of the ISO instead of using the “select your download”, Tails - Install Tails from Linux to verify the download ?

1 Like

Hi,

Local verification of sha256 has nothing to do with it being a .img or an .iso file. You can check sha256 in both case. Tails (and TorBrowser, and many other security sensitive projects) prefer to use PGP over sha256 because it provides better security against downloads from a rogue (or hacked) mirror.
Tails actually has iso releases, they are linked from the guide to burn Tails on a DVD, which are signed the same way as .img releases.

If you don’t like the “select your download” way of verifying your download, you can use gpg to do the same locally. Tails thinks this provides little benefit for people who don’t already know about gpg, while TB (which has no such “verify my download” afaik) provides a guide on how to verify your download locally

5 Likes

Why does tails use an .img installation file instead of an ISO?

Because you were looking at instructions for USB drives.
Here are instructions for DVDs:

https://tails.net/install/dvd/index.en.html

3 Likes

I am looking to use Tails on a USB. Th question still has not been answered as to why a .img file for USB instead of .ISO.

1 Like

You can ask questions about Tails in the XMPP chatroom.

https://tails.net/support/chat/index.en.html

2 Likes

This is a valid forum for tails.

2 Likes

Sure, then feel free to continue to wait around until someone answers your original question from over 2 months ago.

1 Like

It is strange that tails unike almost every other distro uses an .img and when verification is done after Tails is installed it has to be done from the tails web site installed of the user performing a check using sha256. Since a SHA256 is a simple calculation of a file which only produces one value it is an easy an popular method to validate any file. How does the tails site connect to a users computer and validate the file on the users machine?

1 Like

The user selects their image file with a prompt, then the website compares it using JavaScript against a SHA256 checksum from this URL:

https://tails.net/install/v2/Tails/amd64/stable/latest.json

If JavaScript is disabled, the website will mention manually comparing the SHA256 checksum using GtkHash, which can be installed in Tails as additional software:

Otherwise, you can also verify the image’s integrity using the OpenPGP signing key and the OpenPGP signature files of either the IMG or ISO. If the image was downloaded through a BitTorrent client, it is automatically verified with the included checksum file after the download is finished.

See also:

https://tails.net/contribute/design/download_verification/

3 Likes

the user does not have the option to perform their own sha256 hash. Where is the sha256 values for tails?

1 Like

They are found at https://tails.net/install/v2/Tails/amd64/stable/latest.json. Here is the current output for the latest release of Tails:

{
  "build_target": "amd64",
  "channel": "stable",
  "installations": [
    {
      "installation-paths": [
        {
          "target-files": [
            {
              "sha256": "81177ab73849b2a8d7a6d9a42867128f36be4fe5abd7920c126515be740eff23",
              "size": 1474297856,
              "url": "https://download.tails.net/tails/stable/tails-amd64-6.3/tails-amd64-6.3.img"
            }
          ],
          "type": "img"
        },
        {
          "target-files": [
            {
              "sha256": "784f7dffd1aa8a8b8ceea0b1175c70b1c02a14ecf4077f85c30706e895e00422",
              "size": 1464100864,
              "url": "https://download.tails.net/tails/stable/tails-amd64-6.3/tails-amd64-6.3.iso"
            }
          ],
          "type": "iso"
        }
      ],
      "version": "6.3"
    }
  ],
  "product-name": "Tails"
}

As I have previously mentioned above your post, when JavaScript is disabled on the Tails website, it informs the user can manually verify the SHA256 checksum using GtkHash.

1 Like

404 file no found for https://tails.net/install/v2/Tails/amd64/stable/latest
If it is valid why is it not placed where the download area is located ?

1 Like

What do you mean?

sha256sum Downloads/tails-amd64-6.4-img/tails-amd64-6.4.img

f8c36fad61a7f8c0fce45202369f85499a1c90f1bc7e5e5b320f2de1c3fa4e8d 

You missed the file extension. It is https://tails.net/install/v2/Tails/amd64/stable/latest.json, not https://tails.net/install/v2/Tails/amd64/stable/latest.

As FranklyF shared.

As to why not make the hash more visible? Well, that’s a question for devs. They decided to make an easier UX by checking it for you. They also mention that if you use BT, the check is automatically made.

1 Like

The link you quoted is invalid because the JSON extension is omitted from the URL, so you need to append .json to the end of the URL path to properly resolve it.

Still the question is why is this not made available in the download area?

2 Likes

Not sure, you could email Tails’ help desk for questions regarding their decisions and the reasoning behind them:

https://tails.net/support/index.en.html

1 Like

I shouldn’t have to Email them it is logical as an example several Linux distros locate verification SHA256 hash where the download is located.

2 Likes

Sure, then feel free to continue to wait around until someone from Tails’ help desk discovers and answers your various questions on the Tor Project Forum.

4 Likes