Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
up vote
2
down vote
favorite
I'm quite surprised that an issue this big has so little conversation around it.
I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.
I don't have a PGP web-of-trust set up on my computer or anything.
So the only thing I can really trust is my browser's CA list.
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)
1. Just check the SHA256SUM
Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.
In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.
2. Just download Ubuntu's public keys with GPG
As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.
However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.
So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
system-installation security gnupg checksums
add a comment |
up vote
2
down vote
favorite
I'm quite surprised that an issue this big has so little conversation around it.
I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.
I don't have a PGP web-of-trust set up on my computer or anything.
So the only thing I can really trust is my browser's CA list.
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)
1. Just check the SHA256SUM
Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.
In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.
2. Just download Ubuntu's public keys with GPG
As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.
However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.
So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
system-installation security gnupg checksums
3
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm quite surprised that an issue this big has so little conversation around it.
I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.
I don't have a PGP web-of-trust set up on my computer or anything.
So the only thing I can really trust is my browser's CA list.
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)
1. Just check the SHA256SUM
Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.
In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.
2. Just download Ubuntu's public keys with GPG
As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.
However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.
So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
system-installation security gnupg checksums
I'm quite surprised that an issue this big has so little conversation around it.
I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.
I don't have a PGP web-of-trust set up on my computer or anything.
So the only thing I can really trust is my browser's CA list.
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)
1. Just check the SHA256SUM
Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.
In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.
2. Just download Ubuntu's public keys with GPG
As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.
However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.
So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
system-installation security gnupg checksums
system-installation security gnupg checksums
asked Nov 23 at 15:07
Vasilis Papadimitriou
141
141
3
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47
add a comment |
3
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47
3
3
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47
add a comment |
2 Answers
2
active
oldest
votes
up vote
2
down vote
There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/
there are multiple files:
- http://releases.ubuntu.com/cosmic/MD5SUMS
- http://releases.ubuntu.com/cosmic/SHA1SUMS
- http://releases.ubuntu.com/cosmic/SHA256SUMS
which can be checked against with as much as:
md5sum ubuntu-18.10-desktop-amd64.iso
sha1sum ubuntu-18.10-desktop-amd64.iso
sha256sum ubuntu-18.10-desktop-amd64.iso
where the
ubuntu-18.10-desktop-amd64.iso
is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.
EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com
All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that:
- GPG keys can be fetched securely via hkps
server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!
HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig
above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user
phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
– janmyszkier
Nov 24 at 19:07
|
show 1 more comment
up vote
0
down vote
If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3
and
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
Thanks
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/
there are multiple files:
- http://releases.ubuntu.com/cosmic/MD5SUMS
- http://releases.ubuntu.com/cosmic/SHA1SUMS
- http://releases.ubuntu.com/cosmic/SHA256SUMS
which can be checked against with as much as:
md5sum ubuntu-18.10-desktop-amd64.iso
sha1sum ubuntu-18.10-desktop-amd64.iso
sha256sum ubuntu-18.10-desktop-amd64.iso
where the
ubuntu-18.10-desktop-amd64.iso
is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.
EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com
All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that:
- GPG keys can be fetched securely via hkps
server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!
HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig
above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user
phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
– janmyszkier
Nov 24 at 19:07
|
show 1 more comment
up vote
2
down vote
There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/
there are multiple files:
- http://releases.ubuntu.com/cosmic/MD5SUMS
- http://releases.ubuntu.com/cosmic/SHA1SUMS
- http://releases.ubuntu.com/cosmic/SHA256SUMS
which can be checked against with as much as:
md5sum ubuntu-18.10-desktop-amd64.iso
sha1sum ubuntu-18.10-desktop-amd64.iso
sha256sum ubuntu-18.10-desktop-amd64.iso
where the
ubuntu-18.10-desktop-amd64.iso
is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.
EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com
All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that:
- GPG keys can be fetched securely via hkps
server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!
HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig
above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user
phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
– janmyszkier
Nov 24 at 19:07
|
show 1 more comment
up vote
2
down vote
up vote
2
down vote
There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/
there are multiple files:
- http://releases.ubuntu.com/cosmic/MD5SUMS
- http://releases.ubuntu.com/cosmic/SHA1SUMS
- http://releases.ubuntu.com/cosmic/SHA256SUMS
which can be checked against with as much as:
md5sum ubuntu-18.10-desktop-amd64.iso
sha1sum ubuntu-18.10-desktop-amd64.iso
sha256sum ubuntu-18.10-desktop-amd64.iso
where the
ubuntu-18.10-desktop-amd64.iso
is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.
EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com
All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that:
- GPG keys can be fetched securely via hkps
server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!
HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig
above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user
phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.
There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/
there are multiple files:
- http://releases.ubuntu.com/cosmic/MD5SUMS
- http://releases.ubuntu.com/cosmic/SHA1SUMS
- http://releases.ubuntu.com/cosmic/SHA256SUMS
which can be checked against with as much as:
md5sum ubuntu-18.10-desktop-amd64.iso
sha1sum ubuntu-18.10-desktop-amd64.iso
sha256sum ubuntu-18.10-desktop-amd64.iso
where the
ubuntu-18.10-desktop-amd64.iso
is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.
EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com
All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that:
- GPG keys can be fetched securely via hkps
server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!
HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig
above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user
phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.
edited Nov 25 at 9:54
answered Nov 23 at 15:42
janmyszkier
50827
50827
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
– janmyszkier
Nov 24 at 19:07
|
show 1 more comment
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
– janmyszkier
Nov 24 at 19:07
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
– Vasilis Papadimitriou
Nov 23 at 16:00
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
updated my answer that addresses the problem
– janmyszkier
Nov 23 at 16:11
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
– Turtle10000
Nov 23 at 16:14
2
2
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
– Robie Basak
Nov 23 at 16:17
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?
<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)– janmyszkier
Nov 24 at 19:07
@Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from?
<meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso">
Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)– janmyszkier
Nov 24 at 19:07
|
show 1 more comment
up vote
0
down vote
If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3
and
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
Thanks
add a comment |
up vote
0
down vote
If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3
and
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
Thanks
add a comment |
up vote
0
down vote
up vote
0
down vote
If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3
and
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
Thanks
If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3
and
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
Thanks
answered Nov 27 at 21:23
sarnold
805512
805512
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095404%2fis-there-a-way-for-a-casual-user-to-verify-the-authenticity-of-a-downloaded-ubun%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward♦
Nov 23 at 16:03
Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05
@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon♦
Nov 27 at 23:47