Ubuntu – How to verify a downloaded file, given the hashes and a .gpg file


With GPG4Win I verified Tor, GPG4Win, Tails, using .sig and signing key. Read docs and watched videos for that purpose. Now I tried to verify Ubuntu, with sha256sum and sha256sums.gpg. Non-Linux user are expected to install GPG Tools-can I do it with GPG4Win instead-how?
I have Ubuntu Mate as a VM, so I tried the procedure as prescribed, that did not work:

*m@ubuntu:~/Downloads$ gpgv --keyring=/usr/share/keyrings/ubuntu-
archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
gpgv: can't open `SHA256SUMS.gpg'
gpgv: verify signatures failed: file open error*

In "Downloads" I created a folder with the checksum pasted on "Pluma" and the
SHA256SUMS.gpg inside.
Checking hash sums worked.
What I need is a step-by-step instruction, for validation with Linux and Win, because it is a new topic without prior experience to me. Thanks a lot for your advice.

PS: As I was just about to download Ubuntu, ploughing the internet for "How to verify.." I found After reading this, I am reluctant to download an OS, not knowing what kind of download that will be. Fact or fiction?

Best Answer

Verfication is not necessarily the most straightforward process, depending on how foolproof or paranoid (to use the vernacular) you want to be.

When you download an ISO you will generally also be offered a hash to verify the download against.

If not, on the Ubuntu download page, there is a direct link; access the parent folder: http://releases.ubuntu.com/16.04.2/

The SHA-256 sum files are there, with the signatures to verify the sum lists

Step 1

gpg2 --verify SHA256SUMS.gpg SHA256SUMS

this will return some output

gpg: Signature made Fri 17 Feb 2017 00:04:27 GMT using DSA key ID FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 17 Feb 2017 00:04:27 GMT using RSA key ID EFE21092

The key fingerprints are at the end; you now need to import them from a keyserver

Step 2

Import keys from keyserver

gpg2 --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys FBB75451 EFE21092

which will confirm what you want to know:

gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: PGP
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 2
gpg:               imported: 2

Step 3

You can now re-run the verification command

gpg2 --verify SHA256SUMS.gpg SHA256SUMS

You will get warnings about trusted signatures if you have never expanded a web of trust before. If you trust the fingerprints received from the keyserver, this is fine. If you are looking to go the extra mile, you can ask someone with an extended web of trust to verify for you; look into Key Signing Events and gpg web of trust for more info.

Step 4

Once you have downloaded the ISO you want, run the checksum tool against it:

sha256sum your_distro.iso

Check that the sum matches the one from the site, or in the or SHA256SUM file (which will just be a text file with the checksums inside it).

Concerns from the reddit link

For the concerns regarding ISO sites not using HTTPS: the server is a known server, and the content is known content. Encrypting this is unnecessary, HTTPS is better suited for communication secrecy and on-the-wire data integrity.

If the files are compromised say on the server hard drives we need something else: so we are verifying authenticity and integrity of the resting data using the signatures.

For the concerns about the keys and fingerprints themselves, first a disclaimer: the following expounds on what is generally understood, with caveats of course. This is not professional security advice, but more a topical discourse.

The only thing you will indeed need to be sure of is that you trust the keys received from the keyserver, and this is where the web of trust comes in.

If a friend or colleague of yours has already established a chain of trust that can verify the fingerprints, and you trust that person, then you can trust the fingerprint.

A poor-man's way to be sure is to check different and various web sites and forums to see that the fingerprints you have match what has been seen and found via other websites.

If an attacker had indeed replaced the Ubuntu ISOs with fakes and substituted forged signature files, and managed to switch the keys on the keyserver, you can still be sure that

  • the keys will not match those in another person's imported keys (so long as they have the non-compromised keys) (web of trust scenario)
  • any keys documented in forums across the net (as in the scenario above, where I pasted what I have) are unlikely to also have been switched (unless all sites were hacked, or the keys were switched long before anyone started documenting them in forums and stackexchange debug outputs, for example)

If you want to find out more, reading up on the "lessons learnt" from the fallout from the Linux Mint website hack should provide a good background on this very issue.

And yes, the process of verifying an ISO should be much easier, I'll grant you that.

Related Question