shmu26

Level 85
Verified
Trusted
Content Creator
I always download the gpg file and verify the key that the ISO was signed with.
Today I tried to verify Kubuntu 20.04 and I had trouble importing the public key. I asked for help on ubuntuforums.org and everyone told me I was paranoid, it's enough to verify the checksum by sha256.
What do you say?
 

Freki123

Level 7
Verified
When I'm in doubt I download the ISO from a well known site (not the developers!) and check the sha256 against the checksum of the developer.
A sha256 mismatch would raise my awareness.
 

MacDefender

Level 11
Verified
I generally just download it from the vendor but I spend a lot of time reading the tech news. Once the system is installed I do take a look at their package manager to make sure that the repository and GPG key list is what I expect. If an attack is sophisticated enough to hide from that, I would also worry they can replace any signature verification instructions with tainted ones.

Also, you will eventually download additional software packages from those exact same servers from the vendor -- if a vendor is compromised to the point you can't trust ISOs they vend you, it's more a sign you shouldn't use their distro at all.

The one exception I'll note here is that I am assuming you can grab the ISO over HTTPs or the torrent over HTTPS. If not, then you can't be sure that your download itself isn't being intercepted mid-stream, at which point you should definitely verify its authenticity.
 

security123

Level 20
I asked for help on ubuntuforums.org and everyone told me I was paranoid, it's enough to verify the checksum by sha256.
This show only how less knowledge these guys had. But yeah, everyone should trust blindly the Ubuntu people..not!

If possible every Download should be verified with GPG signature and a checksum.
Best way is if the checksum is signed with the GPG key too.
And of course the files need to be placed on another server - at least as copy, to prevent corruption if the server with binary is hacked.

Beside a GPG signature (and better solution) is to sign the binary with digital signature
 

shmu26

Level 85
Verified
Trusted
Content Creator
When I'm in doubt I download the ISO from a well known site (not the developers!) and check the sha256 against the checksum of the developer.
A sha256 mismatch would raise my awareness.
That doesn't work so well with ISOs because a 3rd party site, however reliable, might have compressed the ISO slightly differently. And that changes the checksum. In my experience, you need to get the checksum from the same source as the ISO, or it won't match.
 

Freki123

Level 7
Verified
That doesn't work so well with ISOs because a 3rd party site, however reliable, might have compressed the ISO slightly differently.
Seems to depend on the sites then. Just did a random test with computerbild.de and checksum sha256 matched, softpedia.com even states they wont repack in any way. But I will keep that info in mind for my next iso. I'm always happy to hear about new information :)
 
Top