Do you verify your Linux ISO?

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I always download the gpg file and verify the key that the ISO was signed with.
Today I tried to verify Kubuntu 20.04 and I had trouble importing the public key. I asked for help on ubuntuforums.org and everyone told me I was paranoid, it's enough to verify the checksum by sha256.
What do you say?
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
When I'm in doubt I download the ISO from a well known site (not the developers!) and check the sha256 against the checksum of the developer.
A sha256 mismatch would raise my awareness.
 
  • Like
Reactions: Protomartyr

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I generally just download it from the vendor but I spend a lot of time reading the tech news. Once the system is installed I do take a look at their package manager to make sure that the repository and GPG key list is what I expect. If an attack is sophisticated enough to hide from that, I would also worry they can replace any signature verification instructions with tainted ones.

Also, you will eventually download additional software packages from those exact same servers from the vendor -- if a vendor is compromised to the point you can't trust ISOs they vend you, it's more a sign you shouldn't use their distro at all.

The one exception I'll note here is that I am assuming you can grab the ISO over HTTPs or the torrent over HTTPS. If not, then you can't be sure that your download itself isn't being intercepted mid-stream, at which point you should definitely verify its authenticity.
 
F

ForgottenSeer 85179

I asked for help on ubuntuforums.org and everyone told me I was paranoid, it's enough to verify the checksum by sha256.
This show only how less knowledge these guys had. But yeah, everyone should trust blindly the Ubuntu people..not!

If possible every Download should be verified with GPG signature and a checksum.
Best way is if the checksum is signed with the GPG key too.
And of course the files need to be placed on another server - at least as copy, to prevent corruption if the server with binary is hacked.

Beside a GPG signature (and better solution) is to sign the binary with digital signature
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
When I'm in doubt I download the ISO from a well known site (not the developers!) and check the sha256 against the checksum of the developer.
A sha256 mismatch would raise my awareness.
That doesn't work so well with ISOs because a 3rd party site, however reliable, might have compressed the ISO slightly differently. And that changes the checksum. In my experience, you need to get the checksum from the same source as the ISO, or it won't match.
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
That doesn't work so well with ISOs because a 3rd party site, however reliable, might have compressed the ISO slightly differently.
Seems to depend on the sites then. Just did a random test with computerbild.de and checksum sha256 matched, softpedia.com even states they wont repack in any way. But I will keep that info in mind for my next iso. I'm always happy to hear about new information :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top