A pre-script downloads and excecute this tails dowloadscript every time
the user wants to upgrade:
rm tails.iso
/usr/local/sbin/download.sh
https://tails.osuosl.org/stable/tails-amd64-4.0/tails-amd64-4.0.iso
rm *sig
rm tails-signing.key
wget https://tails.boum.org/torrents/files/tails-amd64-4.0.iso.sig
wget https://tails.boum.org/tails-signing.key
gpg --import tails-signing.key
TZ=UTC gpg --no-options --keyid-format long --verify
/iso/tails-amd64-4.0.iso.sig /iso/tails-amd64-4.0.iso
if [ $? -eq 0 ]
then
yad --width=380 --title "**Iso verified**" --text "Tails Iso is
verified, use ubu-live to start tails session" --button="OK" --timeout=5
mv /iso/tails-amd64-4.0.iso /iso/tails.iso
else
yad --width=220 --title "**Iso not verified**" --text "Iso is not
verified" --button="OK"
fi
Every time a new version comes out, i have to edit this script to the
correct versions.
gd
Op 20/10/19 om 19:15 schreef intrigeri:
Hi,
linux-service:
This gives me a verified iso:
Sure.
Some drawbacks include:
- The "3.16" bits have to come from somewhere that can be trusted.
- Depending on the environment this script is run in, you may be
trusting only our current signing key, or our current signing key
and older ones, or any key in the user's keyring.
- Any ISO image that got signed by one of the aforementioned keys
will pass this verification. So the mirror you're using could send
users an old ISO and the script would still be happy. It has
happened in the past that our Upgrader was broken in a Tails
release, so this may lead to users running a dangerously obsolete
Tails without noticing.
So yeah, automated installers and upgraders are a hard problem :/
Cheers,
_______________________________________________
Tails-dev mailing list
[email protected]
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
[email protected].
