For Windows and macOS, we instruct people to use balenaEtcher to copy the USB image onto their USB stick. On top of this, we self-host the downloads of balenaEtcher on our own infrastructure. The tails / etcher-binary · GitLab repository is added as an ikiwiki underlay on our website.
We self-host a copy of balenaEtcher because:
It gives us more predictability on what users end up doing. This is useful in terms of Help Desk.
It prevents 3rd parties from learning a bit more about who uses Tails. Pointing to GitHub from our website would provide direct referrers to GitHub (and maybe Balena too) about who is using balenaEtcher to install Tails.
It prevents GitHub from serving rogue downloads (targeted or not). We might still get a rogue download ourselves but:
We download balenaEtcher several times from different locations to prevent targeted attacks.
We download balenaEtcher in a limited time window, which might save our users some supply chain issues. If our users were to download balenaEtcher every time, a short-time supply chain attack would definitely affect some of them.
Does balenaEtcher even sign their releases with GPG?
The only reason I ask is that time I used it long ago they didn’t have any way to verify trust of the download.
I haven’t used Windows in awhile but if Windows 11 includes WSL for all paid versions…I would recommend users use WSL and write the ISO following the linux instructions with dd tbh.
WSL runs Linux in a virtual machine. I’m not sure if that will have direct access to the USB drives or not. If it did, that would be cool, but my guess is it probably doesn’t.