Instead of a cryptographic signature, this technique uses a cryptographic hash. We propose it because it's especially easy for Windows users.
Install the MD5 Reborned Hasher extension for Firefox.
Open the Downloads window from the menu . MD5 Reborned Hasher only operates from the files that are appearing in the Downloads window of Firefox.
- Open a new tab in Firefox.
about:configin the URL bar, then press Enter.
- Paste the following preference name into the search
- Change the value of this preference to true, by doing right-click on the preference and choosing Toggle.
- Restart Firefox.
If the ISO image does not appear in the list of recent downloads:
- Choose the menu .
- Select the ISO image that you want to check. Choose to save it with the same name. Answer Yes if Firefox asks you whether you want to replace it.
- This starts a local copy of the ISO image and adds it to the Downloads window.
Click on the Check Digest… link on the line of the Downloads window corresponding to the ISO image. If no Check Digest… link appear, then MD5 Reborned Hasher is not installed correctly.
In the Check File window, choose a SHA256 hash type.
Click on Generate Digest.
Copy and paste the following hash for version 0.23 in the Enter checksum text box.
When the hash is done generating, a result appears at the bottom of the window saying:
- Okay, if the ISO image is correct,
- Match failed!, if the ISO image is not correct.
If you are using Firefox 20 to 25, MD5 Reborned Hasher is incompatible with the new Downloads window. To go back to a compatible layout of the Downloads window, do the following:
If you are using Firefox 26 or later, this method is not working anymore. It is currently impossible to use Firefox 26 or later to verify an ISO image.
GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for both Windows and Mac OS X. This also make it possible to check the cryptographic signature with those operating systems:
You will find on either of those websites detailed documentation on how to install and use them.
After installing Gpg4win, download Tails signing key:
Then, download the cryptographic signature corresponding to the ISO image you want to verify:
If you see the following warning:
Not enough information to check the signature validity. Signed on ... by firstname.lastname@example.org (Key ID: 0xBE2CD9C1 The validity of the signature cannot be verified.
Then the ISO image is still correct, and valid according to the Tails signing key that you downloaded. This warning is related to the trust that you put in the Tails signing key. See, Trusting Tails signing key. To remove this warning you would have to personally sign the Tails signing key with your own key.
After installing GPGTools, you should be able to follow the instruction for Linux with the command line. To open the command line, navigate to your Applications folder, open Utilities, and double click on Terminal.