Ubuntu – Is verifying ISOs downloaded from the official website worthwhile


I downloaded the ISO from https://www.ubuntu.com/download, selecting the default "Ubuntu Desktop" option.

The website links the page https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu which gives instructions how to verify ubuntu.

This seems pretty tedious, and I am wondering how realistic it is that there is a problem with ISO downloaded from the official website. I note that the process of verification itself requires me to download software that is new to me, thus introducing another attack vector on me even as I am closing another one.

For what it's worth, I am planning to use Live USB only and not to fully install Ubuntu. Does that make a difference?

Best Answer

Yes it's worthwhile.

It takes only seconds to md5sum/etc a downloaded ISO, and it provides reassurance you weren't attacked by MITM etc. Beyond that, those seconds are insurance for the [hours of] time wasted if you had a few bit errors and debugging necessary chasing errors no-one else gets because of your download (eg. you have network issues & so try to debug; but networking is stuffed because that's what the few bits wrong were...) Think of checksum-checks as very cheap insurance.

The software needed to md5sum something will be from another source usually (an older version, even different os/distro on occasion), is very small and is already present for many/most of us.

Further it allows me to download from a local mirror, but because I grab the md5sum from the Canonical source; I've insurance that the mirror didn't play with it. Again very cheap insurance that costs me ~3secs of time.

Related Question