1. How To Verify Windows Files
2. How To Verify Downloaded Files
3. Downloaded File Failed Signature Verification

While you are downloading, we recommend you read therelease notes for Tails4.13.They document all the changes in this new version: new features, problems thatwere solved, and known issues that have already been identified.

Click the Download link to start the download. Do one of the following: To start the installation immediately, click Open or Run this program from its current location. To copy the download to your computer for installation at a later time, click Save or Save this program to disk. SignTool is a Microsoft program that is included in the Windows SDK. The program is not included when you install Windows on a machine or use Windows, and needs to be added to the system by installing the Windows SDK. Windows 7 SDK; Windows 10 SDK; Note: The download has a size of about 2.5 Gigabytes if you download the Windows 10 SDK.

1.1Download Tails

The 'SFC /SCANNOW' command will verify against Windows online image. So yes, it might download new files from online, a backup image already on your hard drive (or ask for the disk - if available), etc. It can help replace hi-jacked, modified or corrupted Windows files with the latest offical ones. So-called 'problems' with your Microsoft account may refer to Windows, or to other applications on your system. Whenever I get to my Windows desktop screen I always get this message in my notifications area that says there is a problem with your Microsoft account — most likely your password was changed. Open Hardware Monitor Download and install Open Hardware Monitor. Run the app and expand your SSD from the list. Under Levels, the app will tell you how much of your SSD’s life is left.

or download using BitTorrentBitTorrent

If the download fails, try to download from another mirror.download from another mirror.

1.2Verify your download

For your security, always verify your download.

X

With an unverified download, you might:

• Lose time if your download is incomplete or broken due to an error during the download. This is quite frequent.
• Get hacked while using Tails if our download mirrors have been compromised and are serving malicious downloads.
  This already happened to other operating systems.
• Get hacked while using Tails if your download is modified on the fly by an attacker on the network.
  This is possible for strong adversaries.

Your BitTorrent client will automatically verify your download when it completes.

How To Verify Windows Files

The verification below is optional for a BitTorrent download.

You have our Tails Verification extension installed.

Since December 2020, you can do the verification directly on the page. You don't need the Tails Verification anymore and can safely remove it.

See our statement about the deprecation of the Tails Verification extension.

You seem to have JavaScript disabled. To verify your download, you can either:

• Enable JavaScript.
• Compare manually the checksum of your download with the checksum of our images.
  See our documentation on calculating checksums using GtkHash.

You seem to be using Internet Explorer. To verify your download, please use a different browser.

Verifying $FILENAME…

Verification successful!

Verification failed!

X

Most likely, the verification failed because of an error or interruption during the download.

The verification also fails if you try to verify a different download than the latest version (4.13).

Less likely, the verification might have failed because of a malicious download from our download mirrors or due to a network attack in your country or local network.

Downloading again is usually enough to fix this problem.

Verification failed again!

X

The verification might have failed again because of:

• A software problem in our verification code
• A malicious download from our download mirrors
• A network attack in your country or local network

Trying from a different place or a different computer might solve any of these issues.

Please try to download again from a different place or a different computer…

Error selecting image.

Make sure that you select a USB image that is readable by your browser.

Make sure that you select an ISO image that is readable by your browser.

Error downloading checksum file from our website.

Make sure that your browser is connected to the Internet.

Error reading image $FILENAME.

Make sure that $FILENAME is readable by your browser.

Skip verification!Skip verification!Skip verification!Skip verification!Skip verification!Skip verification!Skip verification!Skip verification!Skip verification!Skip verification

Upgrade your Tails USB stick and keep your Persistent Storage:

How To Verify Downloaded Files

Install a new USB stick:

Verify using OpenPGP (optional)

If you know OpenPGP, you can also verify your download using anOpenPGP signature instead of, or in addition to, our verification in the browser orBitTorrent.

Download theOpenPGP signature for the Tails 4.13 USB imageOpenPGP signature for the Tails 4.13 ISO imageand save it to the same folder whereyou saved the image.

Basic OpenPGP verification

See instructions for basic OpenPGP verification.

This section provides simplified instructions:

In Windows with Gpg4win

1. Download the OpenPGP signature for the Tails 4.13 USB imageOpenPGP signature for the Tails 4.13 ISO image and save it to the same folder where you saved the image.

2. Download the Tails signing key and import it into Gpg4win.

   See the Gpg4win documentation on importing keys.

3. Verify the signature of the image that you downloaded.

   See the Gpg4win documentation on verifying signatures.

   Verify that the date of the signature is at most five days earlier than the latest version: 2020-11-17.

   If the following warning appears:

   Then the image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

In macOS using GPGTools

1. Download the OpenPGP signature for the Tails 4.13 USB imageOpenPGP signature for the Tails 4.13 ISO image and save it to the same folder where you saved the image.

2. Download the Tails signing key and import it into GPGTools.

   See the GPGTools documentation on importing keys.

3. Open Finder and navigate to the folder where you saved the image and the signature.

4. Control-click on the image and choose Services ▸ OpenPGP: Verify Signature of File.

In Tails

Tails comes with the Tails signing key already imported.

1. Download the OpenPGP signature for the Tails 4.13 USB imageOpenPGP signature for the Tails 4.13 ISO image and save it to the same folder where you saved the image.

2. Open the file browser and navigate to the folder where you saved the image and the signature.

3. Right-click (on Mac, click with two fingers) on the signature and choose Open With Verify Signature.

4. The verification of the image starts automatically:

5. After the verification finishes, you should see a notification that the signature is good:

   Verify that the date of the signature is at most five days earlier than the latest version: 2020-11-17.

   If instead, you see a notification that the signature is valid but untrusted:

   Then the image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

Using the command line

1. Download the OpenPGP signature for the Tails 4.13 USB imageOpenPGP signature for the Tails 4.13 ISO image and save it to the same folder where you saved the image.

2. Download the Tails signing key and import it into GnuPGP.

   To import the Tails signing key into GnuPGP, open a terminal and navigate to the folder where you saved the Tails signing key.

   Execute:

   gpg --import tails-signing.key

3. In a terminal, navigate to the folder where you saved the image and the signature.

4. Execute:

   TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-4.13.img.sig tails-amd64-4.13.img

   TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-4.13.iso.sig tails-amd64-4.13.iso

   The output of this command should be the following:

   gpg: Signature made 2020-11-16T12:22:17 UTC
   gpg: using RSA key 05469FB85EAD6589B43D41D3D21DAD38AF281C0B
   gpg: Good signature from 'Tails developers (offline long-term identity key) <tails@boum.org>' [full]
   gpg: aka 'Tails developers <tails@boum.org>' [full]
   

   gpg: Signature made 2020-11-16T12:21:58 UTC
   gpg: using RSA key 05469FB85EAD6589B43D41D3D21DAD38AF281C0B
   gpg: Good signature from 'Tails developers (offline long-term identity key) <tails@boum.org>' [full]
   gpg: aka 'Tails developers <tails@boum.org>' [full]
   

   Verify that the date of the signature is at most five days earlier than the latest version: 2020-11-17.

   If the output also includes:

   gpg: WARNING: This key is not certified with a trusted signature!
   gpg: There is no indication that the signature belongs to the owner.
   

   Then the image is still correct according to the signing key that you downloaded. To remove this warning you need to authenticate the signing key through the OpenPGP Web of Trust.

Authenticate the signing key through the OpenPGP Web of Trust

Authenticating our signing key through the OpenPGP Web of Trust isthe only way that you can be protected in case our website iscompromised or if you are a victim of a man-in-the-middle attack.However, it is complicated to do and it might not bepossible for everyone because it relies on trust relationships betweenindividuals.

Read more about authenticating the Tails signing key through the OpenPGP Web of Trust.

The verification techniques that we present (verification in the browser,BitTorrent, or OpenPGP verification) all rely on someinformation being securely downloaded using HTTPS from our website:

• The checksum for the verification in the browser
• The Torrent file for BitTorrent
• The Tails signing key for OpenPGP verification

It is possible that you could download malicious information if ourwebsite is compromised or if you are a victim of a man-in-the-middleattack.

OpenPGP verification is the only technique that protects you ifour website is compromised or if you are a victim of a man-in-the-middleattack. But, for that you need to authenticate the Tails signing keythrough the OpenPGP Web of Trust.

If you are verifying an image from inside Tails, forexample, to do a manual upgrade, then you already have the Tails signing key.You can trust this signing key as much as you already trust yourTails installation since this signing key is included in your Tailsinstallation.

One of the inherent problems of standard HTTPS is that the trust putin a website is defined by certificate authorities: a hierarchical and closedset of companies and governmental institutions approved by your web browser vendor.This model of trust has long been criticized and proved several times to bevulnerable to attacks as explained on our warning page.

We believe that, instead, users should be given the final say when trusting awebsite, and that designation of trust should be done on the basis of humaninteractions.

The OpenPGP Web of Trust is adecentralized trust model based on OpenPGP keys that can help with solvingthis problem. Let's see this with an example:

1. You are friends with Alice and you really trust her way of making sure that OpenPGP keys actually belong to their owners.
2. Alice met Bob, a Tails developer, in a conference and certified Bob's key as actually belonging to Bob.
3. Bob is a Tails developer who directly owns the Tails signing key. So, Bob has certified the Tails signing key as actually belonging to Tails.

In this scenario, you found, through Alice and Bob, a path to trust the Tails signing keywithout the need to rely on certificate authorities.

If you are on Debian, Ubuntu, or Linux Mint, you can install thedebian-keyring package which contains the OpenPGP keys ofall Debian developers. Some Debian developers have certified the Tailssigning key and you can use these certifications to build a trust path.This technique is explained in detail in our instructions oninstalling Tails from Debian, Ubuntu, or Linux Mint using the commandline.

Relying on the Web of Trust requires both caution and intelligent supervisionby the users. The technical details are outside of the scope of this document.

Since the Web of Trust is based on actual human relationships andreal-life interactions, it is best to get in touch with peopleknowledgeable about OpenPGP and build trust relationships in order tofind your own trust path to the Tails signing key.

After you build a trust path, you can certify the Tails signing key bysigning it with your own key to get rid of some warnings during theverification process.

Downloaded File Failed Signature Verification

One method of knowing if a downloaded program file is safe to install is to compare the file checksum (also called a hash) before running the executable.

Verifying the checksum of a file helps ensure the file was not corrupted during download, or modified by a malicious third-party before you downloaded it. If it was infected with malware or other malicious software after the checksum was originally calculated, you will discover the change when you calculate the new checksum.

The checksum is a long string of numbers that looks like this:

This hexadecimal number is unique to the installer .exe file created by the author. If anyone has altered or tampered with the file that you downloaded, the checksum will be different on your computer.

Note

For maximum system security, always verify the checksum of any software you download from the Internet, before you run it.

How to check the checksum of a file in Windows

Many utilities can verify the checksum of a file in Windows. Below are our favorite options, the Checksum Calculator, an easy to use and compare checksum utility and the FCIV command line utility from Microsoft.

Checksum calculator

The Checksum Calculator is a free file checksum calculation utility that supports the most commonly used file checksum algorithms, such as md5, crc32, and sha1. The Checksum Calculator can also batch process multiple files and is an easy to understand and use Windows program.

Downloading and installing the checksum calculator

1. Download the Checksum Calculator.
2. Run the executable, checksumcalculator_setup.exe.
3. Follow the prompts to install the program.

Using the calculator

1. Open the Checksum Calculator if not already opened after the install.
2. Click the Browse next to the file box and browse to the file you want to check. In our example, we are checking the checksum of the windirstat1_1_2_setup.exe file.
3. Select the type of Checksum you are calculating. By default, the Checksum is set to MD5, in our example below we've set the value to SHA1.
4. Click the Calculate button.
5. After clicking Calculate, a result is shown in the Result box. To compare the values with what's shown on the web page or documentation, copy and paste the checksum into the Compare box and click Verify. If both values match, you'll see a message box indicating that the values are the same.

Using the Microsoft FCIV utility

Unfortunately, no version of Microsoft Windows comes pre-installed with a checksum utility, but Microsoft has released a command line command perform a checksum. In our example, we'll be downloading, installing, and using the Microsoft FCIV (File Checksum Integrity Verifier) to check the WinDirStat installer file. WinDirStat is a great free utility for checking what files and folders are occupying space on your hard drive.

Downloading and installing Microsoft FCIV

1. Download FCIV from Microsoft.
2. Run the executable, Windows-KB841290-x86-ENU.exe.
3. Click Yes to accept the license agreement.
4. The installer asks where you would like to extract the files. It's convenient to have it in the same place as the WinDirStat installer, so we recommend you extract it to your Downloads folder. Click Browse, highlight Downloads, and click OK.

5. Click OK to extract the files.
6. Click OK to close the installer.

Tip

If you copy the fciv.exe file into your C:Windows directory, the command works from any directory or drive in the command prompt.

Using FCIV

1. FCIV is a command-line utility, so you need to run it from the Windows command prompt. Open a new command prompt window now. In Windows 10, you can find it under Start menu → Windows System → Command Prompt. You can also open it from the Run box if you press Win+R (hold down the Windows key on your keyboard and press R), type cmd, and press Enter.
2. Change to your Downloads directory or the directory containing fciv and the file you want to compare. At the command prompt, run:

9. The checksums provided on the WinDirStat use the SHA1 algorithm, so we need to use the -sha1 option when we run FCIV. For example, to verify windirstat1_1_2_setup.exe, use this command:

FCIV will spend a few moments calculating, and then provide output like this:

The checksum is the long hexadecimal number on the last line:

That hexadecimal number is the SHA1 checksum for your file. Check to make sure it matches the checksum on the WinDirStat website:

• See our fciv command page for further information about this command and its syntax and options.

How to check the checksum of a file in Linux

In Linux, the checksum of a file can be checked using one of the following command line commands depending on the checksum the author used for comparison.

• The MD5 checksum is verified using the md5sum command.
• An SHA224 checksum is checked using the sha224sum command.
• An SHA256 checksum is shown using the sha256sum command.
• An SHA384 checksum is shown using the sha384sum command.
• An SHA512 checksum is verified using the sha512sum command.

Additional information

• See our checksum page for further information and related links.