Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?











up vote
2
down vote

favorite












I'm quite surprised that an issue this big has so little conversation around it.



I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.

I don't have a PGP web-of-trust set up on my computer or anything.

So the only thing I can really trust is my browser's CA list.



How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)



1. Just check the SHA256SUM



Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.

In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.



2. Just download Ubuntu's public keys with GPG



As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.

However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.





So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.



So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?













share|improve this question


















  • 3




    Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
    – Thomas Ward
    Nov 23 at 16:03










  • Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
    – Vasilis Papadimitriou
    Nov 24 at 9:05










  • @VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
    – terdon
    Nov 27 at 23:47















up vote
2
down vote

favorite












I'm quite surprised that an issue this big has so little conversation around it.



I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.

I don't have a PGP web-of-trust set up on my computer or anything.

So the only thing I can really trust is my browser's CA list.



How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)



1. Just check the SHA256SUM



Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.

In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.



2. Just download Ubuntu's public keys with GPG



As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.

However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.





So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.



So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?













share|improve this question


















  • 3




    Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
    – Thomas Ward
    Nov 23 at 16:03










  • Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
    – Vasilis Papadimitriou
    Nov 24 at 9:05










  • @VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
    – terdon
    Nov 27 at 23:47













up vote
2
down vote

favorite









up vote
2
down vote

favorite











I'm quite surprised that an issue this big has so little conversation around it.



I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.

I don't have a PGP web-of-trust set up on my computer or anything.

So the only thing I can really trust is my browser's CA list.



How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)



1. Just check the SHA256SUM



Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.

In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.



2. Just download Ubuntu's public keys with GPG



As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.

However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.





So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.



So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?













share|improve this question













I'm quite surprised that an issue this big has so little conversation around it.



I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.

I don't have a PGP web-of-trust set up on my computer or anything.

So the only thing I can really trust is my browser's CA list.



How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)



1. Just check the SHA256SUM



Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.

In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.



2. Just download Ubuntu's public keys with GPG



As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.

However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.





So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.



So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?










system-installation security gnupg checksums






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 23 at 15:07









Vasilis Papadimitriou

141




141








  • 3




    Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
    – Thomas Ward
    Nov 23 at 16:03










  • Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
    – Vasilis Papadimitriou
    Nov 24 at 9:05










  • @VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
    – terdon
    Nov 27 at 23:47














  • 3




    Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
    – Thomas Ward
    Nov 23 at 16:03










  • Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
    – Vasilis Papadimitriou
    Nov 24 at 9:05










  • @VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
    – terdon
    Nov 27 at 23:47








3




3




Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward
Nov 23 at 16:03




Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu.
– Thomas Ward
Nov 23 at 16:03












Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05




Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this.
– Vasilis Papadimitriou
Nov 24 at 9:05












@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon
Nov 27 at 23:47




@VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server.
– terdon
Nov 27 at 23:47










2 Answers
2






active

oldest

votes

















up vote
2
down vote













There's a step-by-step tutorial on it:
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0



if you don't know how that works, then the only way, if you intend to use it - is to learn it.



There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.



There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
http://releases.ubuntu.com/cosmic/



there are multiple files:




  1. http://releases.ubuntu.com/cosmic/MD5SUMS

  2. http://releases.ubuntu.com/cosmic/SHA1SUMS

  3. http://releases.ubuntu.com/cosmic/SHA256SUMS


which can be checked against with as much as:




  1. md5sum ubuntu-18.10-desktop-amd64.iso


  2. sha1sum ubuntu-18.10-desktop-amd64.iso


  3. sha256sum ubuntu-18.10-desktop-amd64.iso


where the
ubuntu-18.10-desktop-amd64.iso is of course the iso in question.
compare the command output with those pages and you'll know if it's genuine.



EDIT:
I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:



Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?



there is, I answered that in my main answer



How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?



the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:

dig releases.ubuntu.com
dig @208.67.222.222 releases.ubuntu.com
dig @8.8.8.8 releases.ubuntu.com

All of them should render the same results.
For rootkit, the only way is to check ISO against checksums, which I already described.



So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?



This question ignores the fact that:
- GPG keys can be fetched securely via hkps server:
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
- there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
Which OP seems to ignore (while saying he read that before):




Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!

HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)



What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.



While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains



I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.






share|improve this answer























  • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
    – Vasilis Papadimitriou
    Nov 23 at 16:00










  • updated my answer that addresses the problem
    – janmyszkier
    Nov 23 at 16:11










  • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
    – Turtle10000
    Nov 23 at 16:14






  • 2




    tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
    – Robie Basak
    Nov 23 at 16:17










  • @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
    – janmyszkier
    Nov 24 at 19:07




















up vote
0
down vote













If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:



https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3



and



https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu



Thanks






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095404%2fis-there-a-way-for-a-casual-user-to-verify-the-authenticity-of-a-downloaded-ubun%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    There's a step-by-step tutorial on it:
    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0



    if you don't know how that works, then the only way, if you intend to use it - is to learn it.



    There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.



    There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
    http://releases.ubuntu.com/cosmic/



    there are multiple files:




    1. http://releases.ubuntu.com/cosmic/MD5SUMS

    2. http://releases.ubuntu.com/cosmic/SHA1SUMS

    3. http://releases.ubuntu.com/cosmic/SHA256SUMS


    which can be checked against with as much as:




    1. md5sum ubuntu-18.10-desktop-amd64.iso


    2. sha1sum ubuntu-18.10-desktop-amd64.iso


    3. sha256sum ubuntu-18.10-desktop-amd64.iso


    where the
    ubuntu-18.10-desktop-amd64.iso is of course the iso in question.
    compare the command output with those pages and you'll know if it's genuine.



    EDIT:
    I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:



    Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?



    there is, I answered that in my main answer



    How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?



    the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:

    dig releases.ubuntu.com
    dig @208.67.222.222 releases.ubuntu.com
    dig @8.8.8.8 releases.ubuntu.com

    All of them should render the same results.
    For rootkit, the only way is to check ISO against checksums, which I already described.



    So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?



    This question ignores the fact that:
    - GPG keys can be fetched securely via hkps server:
    gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
    - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
    Which OP seems to ignore (while saying he read that before):




    Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!

    HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)



    What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.



    While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains



    I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.






    share|improve this answer























    • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
      – Vasilis Papadimitriou
      Nov 23 at 16:00










    • updated my answer that addresses the problem
      – janmyszkier
      Nov 23 at 16:11










    • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
      – Turtle10000
      Nov 23 at 16:14






    • 2




      tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
      – Robie Basak
      Nov 23 at 16:17










    • @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
      – janmyszkier
      Nov 24 at 19:07

















    up vote
    2
    down vote













    There's a step-by-step tutorial on it:
    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0



    if you don't know how that works, then the only way, if you intend to use it - is to learn it.



    There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.



    There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
    http://releases.ubuntu.com/cosmic/



    there are multiple files:




    1. http://releases.ubuntu.com/cosmic/MD5SUMS

    2. http://releases.ubuntu.com/cosmic/SHA1SUMS

    3. http://releases.ubuntu.com/cosmic/SHA256SUMS


    which can be checked against with as much as:




    1. md5sum ubuntu-18.10-desktop-amd64.iso


    2. sha1sum ubuntu-18.10-desktop-amd64.iso


    3. sha256sum ubuntu-18.10-desktop-amd64.iso


    where the
    ubuntu-18.10-desktop-amd64.iso is of course the iso in question.
    compare the command output with those pages and you'll know if it's genuine.



    EDIT:
    I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:



    Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?



    there is, I answered that in my main answer



    How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?



    the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:

    dig releases.ubuntu.com
    dig @208.67.222.222 releases.ubuntu.com
    dig @8.8.8.8 releases.ubuntu.com

    All of them should render the same results.
    For rootkit, the only way is to check ISO against checksums, which I already described.



    So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?



    This question ignores the fact that:
    - GPG keys can be fetched securely via hkps server:
    gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
    - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
    Which OP seems to ignore (while saying he read that before):




    Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!

    HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)



    What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.



    While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains



    I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.






    share|improve this answer























    • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
      – Vasilis Papadimitriou
      Nov 23 at 16:00










    • updated my answer that addresses the problem
      – janmyszkier
      Nov 23 at 16:11










    • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
      – Turtle10000
      Nov 23 at 16:14






    • 2




      tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
      – Robie Basak
      Nov 23 at 16:17










    • @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
      – janmyszkier
      Nov 24 at 19:07















    up vote
    2
    down vote










    up vote
    2
    down vote









    There's a step-by-step tutorial on it:
    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0



    if you don't know how that works, then the only way, if you intend to use it - is to learn it.



    There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.



    There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
    http://releases.ubuntu.com/cosmic/



    there are multiple files:




    1. http://releases.ubuntu.com/cosmic/MD5SUMS

    2. http://releases.ubuntu.com/cosmic/SHA1SUMS

    3. http://releases.ubuntu.com/cosmic/SHA256SUMS


    which can be checked against with as much as:




    1. md5sum ubuntu-18.10-desktop-amd64.iso


    2. sha1sum ubuntu-18.10-desktop-amd64.iso


    3. sha256sum ubuntu-18.10-desktop-amd64.iso


    where the
    ubuntu-18.10-desktop-amd64.iso is of course the iso in question.
    compare the command output with those pages and you'll know if it's genuine.



    EDIT:
    I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:



    Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?



    there is, I answered that in my main answer



    How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?



    the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:

    dig releases.ubuntu.com
    dig @208.67.222.222 releases.ubuntu.com
    dig @8.8.8.8 releases.ubuntu.com

    All of them should render the same results.
    For rootkit, the only way is to check ISO against checksums, which I already described.



    So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?



    This question ignores the fact that:
    - GPG keys can be fetched securely via hkps server:
    gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
    - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
    Which OP seems to ignore (while saying he read that before):




    Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!

    HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)



    What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.



    While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains



    I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.






    share|improve this answer














    There's a step-by-step tutorial on it:
    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0



    if you don't know how that works, then the only way, if you intend to use it - is to learn it.



    There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.



    There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu
    http://releases.ubuntu.com/cosmic/



    there are multiple files:




    1. http://releases.ubuntu.com/cosmic/MD5SUMS

    2. http://releases.ubuntu.com/cosmic/SHA1SUMS

    3. http://releases.ubuntu.com/cosmic/SHA256SUMS


    which can be checked against with as much as:




    1. md5sum ubuntu-18.10-desktop-amd64.iso


    2. sha1sum ubuntu-18.10-desktop-amd64.iso


    3. sha256sum ubuntu-18.10-desktop-amd64.iso


    where the
    ubuntu-18.10-desktop-amd64.iso is of course the iso in question.
    compare the command output with those pages and you'll know if it's genuine.



    EDIT:
    I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:



    Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?



    there is, I answered that in my main answer



    How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?



    the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:

    dig releases.ubuntu.com
    dig @208.67.222.222 releases.ubuntu.com
    dig @8.8.8.8 releases.ubuntu.com

    All of them should render the same results.
    For rootkit, the only way is to check ISO against checksums, which I already described.



    So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?



    This question ignores the fact that:
    - GPG keys can be fetched securely via hkps server:
    gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
    - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2
    Which OP seems to ignore (while saying he read that before):




    Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!

    HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)



    What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.



    While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains



    I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Nov 25 at 9:54

























    answered Nov 23 at 15:42









    janmyszkier

    50827




    50827












    • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
      – Vasilis Papadimitriou
      Nov 23 at 16:00










    • updated my answer that addresses the problem
      – janmyszkier
      Nov 23 at 16:11










    • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
      – Turtle10000
      Nov 23 at 16:14






    • 2




      tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
      – Robie Basak
      Nov 23 at 16:17










    • @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
      – janmyszkier
      Nov 24 at 19:07




















    • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
      – Vasilis Papadimitriou
      Nov 23 at 16:00










    • updated my answer that addresses the problem
      – janmyszkier
      Nov 23 at 16:11










    • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
      – Turtle10000
      Nov 23 at 16:14






    • 2




      tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
      – Robie Basak
      Nov 23 at 16:17










    • @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
      – janmyszkier
      Nov 24 at 19:07


















    You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
    – Vasilis Papadimitriou
    Nov 23 at 16:00




    You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed.
    – Vasilis Papadimitriou
    Nov 23 at 16:00












    updated my answer that addresses the problem
    – janmyszkier
    Nov 23 at 16:11




    updated my answer that addresses the problem
    – janmyszkier
    Nov 23 at 16:11












    The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
    – Turtle10000
    Nov 23 at 16:14




    The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums.
    – Turtle10000
    Nov 23 at 16:14




    2




    2




    tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
    – Robie Basak
    Nov 23 at 16:17




    tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path.
    – Robie Basak
    Nov 23 at 16:17












    @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
    – janmyszkier
    Nov 24 at 19:07






    @Turtle10000 bad news for you man: see the source of the download page: ubuntu.com/download/desktop/… and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;)
    – janmyszkier
    Nov 24 at 19:07














    up vote
    0
    down vote













    If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:



    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3



    and



    https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu



    Thanks






    share|improve this answer

























      up vote
      0
      down vote













      If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:



      https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3



      and



      https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu



      Thanks






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:



        https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3



        and



        https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu



        Thanks






        share|improve this answer












        If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:



        https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3



        and



        https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu



        Thanks







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 27 at 21:23









        sarnold

        805512




        805512






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095404%2fis-there-a-way-for-a-casual-user-to-verify-the-authenticity-of-a-downloaded-ubun%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Ellipse (mathématiques)

            Quarter-circle Tiles

            Mont Emei