Tails transitioned to a new signing key between Tails 1.3 (February 24) and Tails 1.3.1 (March 31). If you had the previous signing key, make sure to import and verify the new signing key.

Install seahorse-nautilus

You need to have the seahorse-nautilus package installed.

  • seahorse-nautilus is already installed in Tails.
  • In Debian or Ubuntu, if you are unsure or want to install seahorse-nautilus, you can issue the following commands:
    sudo apt-get update
    sudo apt-get install seahorse-nautilus
    

    The seahorse-nautilus package is only available in:

    • Debian starting from version 7 (Wheezy), as a backport. See the installation instructions on the Debian Backports website.
    • Ubuntu starting from version 14.04 (Trusty).

    If you are unable to install it, try verifying the ISO using the command line.

Get the Tails signing key

If you are using Tails, you already have the signing key. Otherwise, first download Tails signing key:

Tails signing key

Your browser should propose you to open it with "Import Key". Choose this action. It will add Tails signing key to your keyring, the collection of OpenPGP keys you already imported:

What should the web browser do with this file? Open
with: Import Key (default)

You will get notified will the following message:

Key Imported. Imported a key for Tails
developers (offline long-term identity key) <tails@boum.org>

The GNOME notifications appear truncated on Tails 1.1 and later.
See ticket #7249.

Verify the ISO image

Now, download the cryptographic signature corresponding to the ISO image you want to verify:

Tails 1.3.2 signature

Your browser should propose you to open it with "Verify Signature". Choose this action to start the cryptographic verification:

What should the web browser do with this file?
Open with: Verify Signature (default)

Browse your files to select the Tails ISO image you want to verify. Then, the verification will start. It can take several minutes:

Verifying

If the ISO image is correct you will get a notification telling you that the signature is good:

Goog Signature

If the ISO image is not correct you will get a notification telling you that the signature is bad:

Bad Signature: Bad or forged signature.