[[!meta title="Verify the ISO image using the command line"]]

You need to have GnuPG installed. GnuPG is the common OpenPGP implementation for Linux: it is installed by default under Debian, Ubuntu, Tails and many other distributions.

First, download Tails signing key:

[[!inline pages="lib/download_tails_signing_key" raw="yes"]]

Open a terminal and import Tails signing key with the following commands:

cd [the directory in which you downloaded the key]
cat tails-signing.key | gpg --keyid-format long --import

The output should tell you that the key was imported:

gpg: key 1202821CBE2CD9C1: public key "Tails developers (signing key) <tails@boum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If you had already imported Tails signing key in the past, the output should tell you that the key was not changed:

gpg: key 1202821CBE2CD9C1: "Tails developers (signing key) <tails@boum.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual: this extra message doesn't relate to the Tails signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which of no importance to verify the ISO image.

Now, download the cryptographic signature corresponding to the ISO image you want to verify and save it in the same folder as the ISO image:

[[!inline pages="lib/download_stable_i386_iso_sig" raw="yes"]]

Then, start the cryptographic verification, it can take several minutes:

cd [the ISO image directory]
[[!inline pages="inc/stable_i386_gpg_verify" raw="yes"]]

If the ISO image is correct the output will tell you that the signature is good:

gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: Good signature from "Tails developers (signing key) <tails@boum.org>"

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 1202 821C BE2C D9C1

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Tails signing key. See, [[Trusting Tails signing key|doc/get/trusting_tails_signing_key]]. To remove this warning you would have to personnally [[!wikipedia Keysigning desc="sign"]] Tails signing key with your own key.

If the ISO image is not correct the output will tell you that the signature is bad:

gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST
gpg:                using RSA key 1202821CBE2CD9C1
gpg: BAD signature from "Tails developers (signing key) <tails@boum.org>"