Ubuntu – Verifying Ubuntu on Windows 7 (total newbie)

gnupgwindows 7

Friends, I would like to specify my question a little bit, cause a lot of you give me suggestions that are already written in this page www.ubuntu.com/download/how-to-verify

What confused me is that tip in the 2nd step, where it says :

Tip: On non-Linux systems, you might need to download the GPG tools for this next step. To check if you have the GPG tools installed, run the command gpg –version or gpg2 –version.

Now, it's not written WHERE do I have to write these commands. At the beginning in that page it says "These instructions assume basic knowledge of the command line", so I assumed I needed to open a "Command prompt" program for that, is it right ?
I don't understand why isn't it mentioned in that tip, it is really confusing for a newbie like me. And the results that I get when writing these commands in the "Command prompt" are confusing as well. But knowing that the gnuPG has never ever been installed on my laptop I don't expect too much more.
But still it would be good if it was written in that tip what you should see if it's not installed AND that from Windows OS you have to open a Command prompt program to write these commands in.

Previous question

I want to install Ubuntu on my laptop. I downloaded the iso image and now I want to verify it. I currently have Windows 7 as OS on my computer.

In this page www.ubuntu.com/download/how-to-verify in the 2nd step there is this tip that says:

Tip: On non-Linux systems, you might need to download the GPG tools for this next step. To check if you have the GPG tools installed, run the command gpg –version or gpg2 –version.

Now as I understand I need to write gpg --version when I open the command promt program is that right?
I tried and it is unrecognized. But it's okay because I have never ever installed it on my laptop. The thing I worry a bit is am I doing it right? Do I need to use command prompt program for this?

my command prompt image (click to see)

Best Answer

CertUtil (certutil.exe) is a preinstalled Windows command-line program that can be used to generate hash checksums:

certUtil -hashfile pathToFileToCheck [HashAlgorithm]

certutil.exe ships with Windows 7 and later. CertUtil supports MD2 MD4 MD5 SHA1 SHA256 SHA384 and SHA512 hash algorithms.

Related Solutions

How to Install GnuPG 2.0 – Step-by-Step Guide

On Ubuntu, GnuPG 2.0 is available for all supported releases under the package name gnupg2 (and they are all > 2.0.7). To install it, open a terminal (press CtrlAltT) and run this command:

sudo apt-get install gnupg2

Or see How do I install software using the Ubuntu Software Center?

Ubuntu – How to verify a downloaded file, given the hashes and a .gpg file

Verfication is not necessarily the most straightforward process, depending on how foolproof or paranoid (to use the vernacular) you want to be.

When you download an ISO you will generally also be offered a hash to verify the download against.

If not, on the Ubuntu download page, there is a direct link; access the parent folder: http://releases.ubuntu.com/16.04.2/

The SHA-256 sum files are there, with the signatures to verify the sum lists

Step 1

gpg2 --verify SHA256SUMS.gpg SHA256SUMS

this will return some output

gpg: Signature made Fri 17 Feb 2017 00:04:27 GMT using DSA key ID FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 17 Feb 2017 00:04:27 GMT using RSA key ID EFE21092

The key fingerprints are at the end; you now need to import them from a keyserver

Step 2

Import keys from keyserver

gpg2 --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys FBB75451 EFE21092

which will confirm what you want to know:

gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: PGP
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 2
gpg:               imported: 2

Step 3

You can now re-run the verification command

gpg2 --verify SHA256SUMS.gpg SHA256SUMS

You will get warnings about trusted signatures if you have never expanded a web of trust before. If you trust the fingerprints received from the keyserver, this is fine. If you are looking to go the extra mile, you can ask someone with an extended web of trust to verify for you; look into Key Signing Events and gpg web of trust for more info.

Step 4

Once you have downloaded the ISO you want, run the checksum tool against it:

sha256sum your_distro.iso

Check that the sum matches the one from the site, or in the or SHA256SUM file (which will just be a text file with the checksums inside it).

Concerns from the reddit link

For the concerns regarding ISO sites not using HTTPS: the server is a known server, and the content is known content. Encrypting this is unnecessary, HTTPS is better suited for communication secrecy and on-the-wire data integrity.

If the files are compromised say on the server hard drives we need something else: so we are verifying authenticity and integrity of the resting data using the signatures.

For the concerns about the keys and fingerprints themselves, first a disclaimer: the following expounds on what is generally understood, with caveats of course. This is not professional security advice, but more a topical discourse.

The only thing you will indeed need to be sure of is that you trust the keys received from the keyserver, and this is where the web of trust comes in.

If a friend or colleague of yours has already established a chain of trust that can verify the fingerprints, and you trust that person, then you can trust the fingerprint.

A poor-man's way to be sure is to check different and various web sites and forums to see that the fingerprints you have match what has been seen and found via other websites.

If an attacker had indeed replaced the Ubuntu ISOs with fakes and substituted forged signature files, and managed to switch the keys on the keyserver, you can still be sure that

the keys will not match those in another person's imported keys (so long as they have the non-compromised keys) (web of trust scenario)
any keys documented in forums across the net (as in the scenario above, where I pasted what I have) are unlikely to also have been switched (unless all sites were hacked, or the keys were switched long before anyone started documenting them in forums and stackexchange debug outputs, for example)

If you want to find out more, reading up on the "lessons learnt" from the fallout from the Linux Mint website hack should provide a good background on this very issue.

And yes, the process of verifying an ISO should be much easier, I'll grant you that.

Best Answer

Related Solutions

How to Install GnuPG 2.0 – Step-by-Step Guide

Ubuntu – How to verify a downloaded file, given the hashes and a .gpg file

Related Question