With GPG4Win I verified Tor, GPG4Win, Tails, using .sig and signing key. Read docs and watched videos for that purpose. Now I tried to verify Ubuntu, with sha256sum and sha256sums.gpg. Non-Linux user are expected to install GPG Tools-can I do it with GPG4Win instead-how?
I have Ubuntu Mate as a VM, so I tried the procedure as prescribed, that did not work:
*m@ubuntu:~/Downloads$ gpgv --keyring=/usr/share/keyrings/ubuntu-
archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
gpgv: can't open `SHA256SUMS.gpg'
gpgv: verify signatures failed: file open error*
In "Downloads" I created a folder with the checksum pasted on "Pluma" and the
SHA256SUMS.gpg inside.
Checking hash sums worked.
What I need is a step-by-step instruction, for validation with Linux and Win, because it is a new topic without prior experience to me. Thanks a lot for your advice.
PS: As I was just about to download Ubuntu, ploughing the internet for "How to verify.." I found After reading this, I am reluctant to download an OS, not knowing what kind of download that will be. Fact or fiction?
Best Answer
Verfication is not necessarily the most straightforward process, depending on how foolproof or paranoid (to use the vernacular) you want to be.
When you download an ISO you will generally also be offered a hash to verify the download against.
If not, on the Ubuntu download page, there is a direct link; access the parent folder: http://releases.ubuntu.com/16.04.2/
The SHA-256 sum files are there, with the signatures to verify the sum lists
Step 1
this will return some output
The key fingerprints are at the end; you now need to import them from a keyserver
Step 2
Import keys from keyserver
which will confirm what you want to know:
Step 3
You can now re-run the verification command
You will get warnings about trusted signatures if you have never expanded a web of trust before. If you trust the fingerprints received from the keyserver, this is fine. If you are looking to go the extra mile, you can ask someone with an extended web of trust to verify for you; look into Key Signing Events and gpg web of trust for more info.
Step 4
Once you have downloaded the ISO you want, run the checksum tool against it:
Check that the sum matches the one from the site, or in the or SHA256SUM file (which will just be a text file with the checksums inside it).
Concerns from the reddit link
For the concerns regarding ISO sites not using HTTPS: the server is a known server, and the content is known content. Encrypting this is unnecessary, HTTPS is better suited for communication secrecy and on-the-wire data integrity.
If the files are compromised say on the server hard drives we need something else: so we are verifying authenticity and integrity of the resting data using the signatures.
For the concerns about the keys and fingerprints themselves, first a disclaimer: the following expounds on what is generally understood, with caveats of course. This is not professional security advice, but more a topical discourse.
The only thing you will indeed need to be sure of is that you trust the keys received from the keyserver, and this is where the web of trust comes in.
If a friend or colleague of yours has already established a chain of trust that can verify the fingerprints, and you trust that person, then you can trust the fingerprint.
A poor-man's way to be sure is to check different and various web sites and forums to see that the fingerprints you have match what has been seen and found via other websites.
If an attacker had indeed replaced the Ubuntu ISOs with fakes and substituted forged signature files, and managed to switch the keys on the keyserver, you can still be sure that
If you want to find out more, reading up on the "lessons learnt" from the fallout from the Linux Mint website hack should provide a good background on this very issue.
And yes, the process of verifying an ISO should be much easier, I'll grant you that.