0

Just out of curiosity - Ubuntu and other Linux distributions tell users to verify downloaded .ISOs against the SHA256 hash of the .ISO.

1 - Since the SHA256 hash value is hosted on the same website as the .ISO file, isn't it equally vulnerable to an attacker who wants to distribute hacked images? If an attacker manages to substitute his own hacked .ISO file, why can't he also substitute the SHA256 hash with one that matches his hacked .ISO?

2 - Don't the standard file transfer protocols (TCP, SFTP, https, BitTorrent...) have sufficiently long CRCs to practically prevent bit errors creeping unnoticed into downloads? If not, why not?

nerdfever.com
  • 203
  • 2
  • 12
  • 1
    As you have noted, the hashes should be from the original site, not the site (mirror?) you downloaded from. Hashes are small, so nearness/bandwidth doesn't matter as much. – ubfan1 Feb 06 '23 at 20:51
  • Not all downloads occur over the protocols you mention, ie. HTTP is still used by at least zsync which is loved by those of us you are downloading many large files every day (ie. daily images) – guiverc Feb 06 '23 at 21:35

1 Answers1

4

Many common questions here at AskUbuntu are from users encountering mysterious problems that --after some troubleshooting-- turn out to be apparently caused by corrupted or incomplete installer downloads or mis-made LiveUSBs.

When those users carefully re-download and re-make the LiveUSB properly, the mysterious problems vanish and the system behaves normally.

Checking the hash is one easy troubleshooting tool to confirm that the installer download is correct. So you're not wasting effort troubleshooting the wrong step in the process. There are different troubleshooting tools and techniques for different steps.

user535733
  • 62,253