I proposed that Linux distros add a feature to establish a trust chain from the distro's keyring to the Tails .iso:
1. /usr/share/keyrings/ubuntu-archive-keyring.gpg signs osinfo-db_0.20250606-1ubuntu2_all.deb
2. osinfo-db should start containing
https://tails.net/tails-signing.key directly
3. osinfo-db should start downloading the .iso.sig, and in addition to the current URL, expose the .gpg keyring and the .iso.sig signature through its osinfo-query or other API
4. gnome-boxes should starting gpg-verifying Tails OS when using its Download OS button
5. Take the ~/Downloads/tails-amd64-7.8.iso it downloaded, and burn it to a USB
GitLab work items:
* In general:
https://gitlab.com/libosinfo/osinfo-db/-/work_items/187
* Tails OS:
https://gitlab.com/libosinfo/osinfo-db/-/work_items/188
* gnome-boxes: Will be created once the osinfo-db work is done
Please review whether this can stop an attacker capable of SSL inspection from tampering with the Tails OS image. If there are security concerns, please comment on the GitLab work items.
