6

Neither the ISO nor the hashsum is available via HTTPS. Is there any way to verify you're not getting man-in-the-middled?

You'reAGitForNotUsingGit
  • 14,809
Ryne Everett
  • 213

3 Answers3

5

The hashes and iso's are only provided via http, so md5sum-checking is insufficient. As @Doug Smythies explained in a comment on a deleted answer:

We (the Ubuntu Doc team) no longer maintain the https page, because it is pretty much impossible to do so. The people with the ability to do an https page won't.

However, Ubuntu's gpg fingerprints are available via https here.

TLDR

  1. Download MD5SUMS and MD5SUMS.gpg for the relevant release.
  2. Verify the MD5SUMS with the MD5SUMS.gpg and check that the fingerprint is the same as on this web page.
  3. Verify the iso with the MD5SUMS.
Ryne Everett
  • 213
3

Whilst Canonical isn't providing HTTPS some of the officially recognized 3rd-party mirrors do, so that may be a viable alternative. Even without HTTPS you can always compare the checksums provided by several different mirrors (that you recognize) to help decrease the odds of a MITM (Man In The Middle).

List of Official 3rd-Party Mirrors CAPABLE of HTTPS:

(remove the - from h-ttps, only put there because too many urls)

In future, for those whom don't fancy checking mirrors by hand for HTTPS, you can use Https Finder, which was the tool used to find these mirrors.

muru
  • 197,895
  • 55
  • 485
  • 740
no-reply
  • 31
0

You can download your favorite ubuntu from here: http://www.ubuntu.com/download/desktop

and you can see the md5 checksum from here: http://releases.ubuntu.com/14.04/

Infact 2nd link contains all the .iso and the md5 checksums.

Look for this link for verifying the .iso file

I will suggest go for Ubuntu desktop 14.04 LTS(Long term support).

Community
  • 1
Ashu
  • 3,966
  • 2
    Both of those files are only provided via insecure http. How can I verify that they aren't both from the same man-in-the-middle? – Ryne Everett Feb 29 '16 at 22:24
  • So the only way to get the public gpg key used to sign releases is to install ubuntu? – Ryne Everett Feb 29 '16 at 23:13
  • @bodhi.zazen it didn't answer the question at the time I wrote the comment. Since then, ubfan1 added a link to a possible duplicate which Ashu adopted in his answer. – danzel Feb 29 '16 at 23:19
  • @RyneEverett - no, the public gpg keys are available on key servers. See https://help.ubuntu.com/community/Repositories/Ubuntu#Authentication_Tab . You should be able to identify and download the ubuntu gpg keys if you know how to use gpg, if not, well that is a separate question. – Panther Feb 29 '16 at 23:24
  • @RyneEverett. If you are downloading .iso from Windows(which most of the folks might be doing)-there is a utility in Windows 10(https://www.microsoft.com/en-us/download/details.aspx?id=11533). Having said that you don't have to install ubuntu to verify md5 checksum – Ashu Feb 29 '16 at 23:25
  • @Ashu - http://askubuntu.com/questions/326397/verifiying-ubuntu-iso-with-repository-gpg-keys?rq=1 – Panther Feb 29 '16 at 23:26
  • Or purchase a CD / DVD from Canonical - http://shop.canonical.com/index.php?cPath=17 . Works for Windows users too ;p – Panther Feb 29 '16 at 23:32
  • @bodhi.zazen It isn't clear to me that ordering a cd/dvd is a way of verifying an iso. – Ryne Everett Feb 29 '16 at 23:43
  • Sure, the DVD contains the has sum for the iso on it so by ordering a DVD you get the hash sum directly from canonical. I trust you know how to verify from there. – Panther Feb 29 '16 at 23:45