4

I am downloading Ubuntu Linux, and would like to make sure that my download has not been tampered with.

Ubuntu has a GPG key, which I could use to make sure that the download is valid -- but how do I validate the key? Unfortunately, the key seems to only be available via hkp -- which is not a secure protocol!

The GPG key is itself signed -- but how do I check those keys?

The Ubuntu instructions for verifying the download are not helpful unless the public key to verify the signatures is available securely. GPG web of trust is not helpful, because mine is currently empty and I don't know where to start building it.

Demi
  • 799
  • 1
  • 4
  • 11
  • Please clarify how this doesn't answer you question (I get the impression that it doesn't answer your question but I can't pinpoint it): https://help.ubuntu.com/community/VerifyIsoHowto – agtoever Aug 11 '14 at 07:05
  • Basically, the OP is asking where they can find a trust anchor for their Ubuntu download, or some alternate source of trust. – Mark Aug 11 '14 at 07:23
  • @Mark that is correct. Normally I would rely on the fact that I trust Ubuntu's server, together with SSL certificates. – Demi Aug 11 '14 at 17:05

3 Answers3

1

You can find all of the MD5 hashes here:

Now all you have to do is compare the MD5 hash of your download with the hash on the page. You can generate an MD5 hash in Ubuntu by using:

md5sum <file>
John
  • 413
  • 4
  • 13
  • 1
    Better than nothing, but MD5 is a broken algorithm – Demi Aug 14 '14 at 01:33
  • MD5 is not "broken" true there are more collisions that ideal, however, for this purpose as well as even for use in a court of law MD5 is absolutely fine. – dc5553 Jun 12 '15 at 18:12
0

Using a secure connection will not help in validating the key either. How would you verify the identity of the server you are connecting to? E.g. I can use hkps to connect to a rogue server and securely retrieve a fake public key.

Instead PGP works via a "Web of Trust" infrastructure whereby you trust a key because it is signed by someone whom you trust.

More in depth explanation can be found here Shouldn't GPG key fetching use a secure connection?

Community
  • 1
limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • I know how PGP works, and I know the idea of a web of trust. It does not help someone who does not even know how to start a web of trust. – Demi Aug 11 '14 at 20:24
0

SHA 256 checksums are there.

http://releases.ubuntu.com/trusty/SHA256SUMS

We can depends on it for now.

Kasun
  • 784
  • 2
  • 5
  • 13
  • Someone could tamper with the connection and the checksum, so it is useless unless the checksum can be verified. – Demi Sep 12 '14 at 05:55
  • 1
    Take the sha256 checksum. Then Google for it. It is hard to fake the Google. – Kasun Sep 12 '14 at 05:57