Using Firefox

Instead of a cryptographic signature, this technique uses a cryptographic hash. We propose it because it's especially easy for Windows users.

  1. Install the MD5 Reborned Hasher extension for Firefox.

  2. Restart Firefox.

  3. Open the Downloads window from the menu Tools ▸ Downloads. MD5 Reborned Hasher only operates from the files that are appearing in the Downloads window of Firefox.

  4. If you are using Firefox 20 to 25, MD5 Reborned Hasher is incompatible with the new Downloads window. To go back to a compatible layout of the Downloads window, do the following:

    1. Open a new tab in Firefox.
    2. Type about:config in the URL bar, then press Enter.
    3. Paste the following preference name into the search field: browser.download.useToolkitUI.
    4. Change the value of this preference to true, by doing right-click on the preference and choosing Toggle.
    5. Restart Firefox.

    If you are using Firefox 26 or later, this method is not working anymore. It is currently impossible to use Firefox 26 or later to verify an ISO image.

  5. If the ISO image does not appear in the list of recent downloads:

    • Choose the menu File ▸ Open File….
    • Select the ISO image that you want to check. Choose to save it with the same name. Answer Yes if Firefox asks you whether you want to replace it.
    • This starts a local copy of the ISO image and adds it to the Downloads window.
  6. Click on the Check Digest… link on the line of the Downloads window corresponding to the ISO image. If no Check Digest… link appear, then MD5 Reborned Hasher is not installed correctly.

  7. In the Check File window, choose a SHA256 hash type.

  8. Click on Generate Digest.

  9. Copy and paste the following hash for version 0.23 in the Enter checksum text box.

    359d104737f1a448375d2030f938dea3d529468b8218485998ab893c1f7509eb
  10. When the hash is done generating, a result appears at the bottom of the window saying:

    • Okay, if the ISO image is correct,
    • Match failed!, if the ISO image is not correct.

Using the cryptographic signature

GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for both Windows and Mac OS X. This also make it possible to check the cryptographic signature with those operating systems:

You will find on either of those websites detailed documentation on how to install and use them.

For Windows using Gpg4win

After installing Gpg4win, download Tails signing key:

Tails signing key

Consult the Gpg4win documentation to import it

Then, download the cryptographic signature corresponding to the ISO image you want to verify:

Tails 0.23 signature

Consult the Gpg4win documentation to check the signature

If you see the following warning:

Not enough information to check the signature validity.
Signed on ... by tails@boum.org (Key ID: 0xBE2CD9C1
The validity of the signature cannot be verified.

Then the ISO image is still correct, and valid according to the Tails signing key that you downloaded. This warning is related to the trust that you put in the Tails signing key. See, Trusting Tails signing key. To remove this warning you would have to personally sign the Tails signing key with your own key.

For Mac OS X using GPGTools

After installing GPGTools, you should be able to follow the instruction for Linux with the command line. To open the command line, navigate to your Applications folder, open Utilities, and double click on Terminal.