3

I'm quite surprised that an issue this big has so little conversation around it.

I'm a casual Ubuntu user, and I just downloaded the ISO from ubuntu.com.
I don't have a PGP web-of-trust set up on my computer or anything.
So the only thing I can really trust is my browser's CA list.

How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.? (Because it really is that easy)

1. Just check the SHA256SUM

Well, unfortunately http://releases.ubuntu.com/ is only served via HTTP.
In fact there's a "Won't Fix" closed bug report from 2013 where maintainers explicitly deny bothering with providing users an HTTPS version of the hash list.

2. Just download Ubuntu's public keys with GPG

As mentioned in the VerifyIsoHowTo page, the other way to verify the download is to download Ubuntu's public key and verify the .gpg hash files.
However, in fine print, near the bottom it mentions something about building a web of trust. If we are to expand on that, I think we can safely state that checking the PGP signatures without a good web-of-trust in place is completely useless.

So what's left? Literally nothing. Of course you can spend a great deal of time trying to understand PGP, contacting colleagues and building your own web-of-trust over the following weeks, or you can just skip all that and just finally get on with the installation, which is what the crushing majority of people will do, if they even bothered getting that far.

So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?

Vasilis Papadimitriou
  • 47
  • 3
    Firstly, this reads more like a rant than it does an actual question based on the tone and what you are marking as bold, etc.. Secondly, if you want to suggest changes to improve this, you need to contact the release team rather than posting just here on Ask Ubuntu. – Thomas Ward Nov 23 '18 at 16:03
  • Well, it reads like a rant because I've been placing my trust on Ubuntu all these years and now that I barely scratched the surface I see it's full of holes. But it is a legitimate question, and I'd love to see an answer that proves me wrong. As for contacting the release team, it's not like they don't know this. – Vasilis Papadimitriou Nov 24 '18 at 09:05
  • @VasilisPapadimitriou could you explain why you think you need your own web of trust? I am not an expert on this, but as I understand it, that is only necessary for your to use GPG to communicate with other people. Not in the cases where there is a trusted keyserver you can rely on. The links you mention from the VerifyIsoHowto are giving you information about that. Even if you had your own web-of-trust, you wouldn't use that to verify the Ubuntu keys. You won't be getting a "random public key over hkp", you will be contacting Ubuntu's trusted server. – terdon Nov 27 '18 at 23:47

3 Answers3

4

Before verifying the integrity of the downloaded Ubuntu ISO file, check the md5sum and sha256sum versions on your Ubuntu System. To verify the version of md5sum, use the --version command:

md5sum --version

The md5sum version will be returned in the terminal. In our case, it is version 9.4.

Now, to verify the sha256sum version, use the --version command again:

sha256sum --version

The sha256sum version will be returned to the terminal. In our case, it is version 9.4.

Here is the output of the above commands:

output of terminal commands

The downloaded Ubuntu ISO file can be verified through the sha256sum checksum command. The sha256sum command checks the file’s integrity. If a slight change is made in the file, the sha256 hash value generated will be completely different from the official Ubuntu ISO file hash value. The sha256 hash value can be verified from the Official Ubuntu Website.

Verify Ubuntu ISO Using the sha256sum command

The Ubuntu ISO file can be verified directly through the terminal. The sha256sum command makes it easier to retrieve the hash value without having to use third party software. To use the sha256sum command, open Terminal and go into the folder where you downloaded the Ubuntu ISO. For instance, if you downloaded the Ubuntu ISO into your Downloads folder, then go into the Downloads folder in your file manager, right-click on the white space and select Open in Terminal, as shown in the screenshot below:

open in terminal

Now that you're in the terminal, type ls and hit Enter so you can easily copy the name of the Ubuntu ISO image (look at the picture below):

picture of output of commands

So the command is:

sha256sum <fileName>

As you can see I did:

sha256sum ubuntu-24.04.1-desktop-amd64.iso

Now it will take a few moments, so patiently wait for the check to complete.

Once the process is completed and the hash value of the Ubuntu ISO file is retrieved, the hash value will be displayed in the Terminal.

As you can see in the previous picture, the hash value I got is this:

c2e6f4dc37ac944e2ed507f87c6188dd4d3179bf4a3f9e110d3c88d1f3294bdc

Now we have to manually compare this hash value to the hash value from the official Ubuntu website.

If you go here https://releases.ubuntu.com/noble/SHA256SUMS, you will see:

c2e6f4dc37ac944e2ed507f87c6188dd4d3179bf4a3f9e110d3c88d1f3294bdc *ubuntu-24.04.1-desktop-amd64.iso

Copy the hash from your terminal and then copy the hash from the Ubuntu website and then just manually compare them, like this:

c2e6f4dc37ac944e2ed507f87c6188dd4d3179bf4a3f9e110d3c88d1f3294bdc
c2e6f4dc37ac944e2ed507f87c6188dd4d3179bf4a3f9e110d3c88d1f3294bdc

Just look at them and make sure they are both exactly the same. And I just looked at them and yup they look the same to me.

If the two hash values don't exactly match, then your Ubuntu download has been altered somehow and you'll have to redownload it.

In my opinion this method is the easiest way to verify your Ubuntu download.

If you're not using Ubuntu 24.04, you can find the hash values for the other Ubuntu releases by visiting https://releases.ubuntu.com/. Then find your particular Ubuntu release, click on it, and then scroll down and you should see "SHA256SUMS". Click on it and you'll see the hash value you're looking for.

SpaceX
  • 145
2

There's a step-by-step tutorial on it: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0

if you don't know how that works, then the only way, if you intend to use it - is to learn it.

There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.

There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu http://releases.ubuntu.com/cosmic/

there are multiple files:

  1. http://releases.ubuntu.com/cosmic/MD5SUMS
  2. http://releases.ubuntu.com/cosmic/SHA1SUMS
  3. http://releases.ubuntu.com/cosmic/SHA256SUMS

which can be checked against with as much as:

  1. md5sum ubuntu-18.10-desktop-amd64.iso
  2. sha1sum ubuntu-18.10-desktop-amd64.iso
  3. sha256sum ubuntu-18.10-desktop-amd64.iso

where the ubuntu-18.10-desktop-amd64.iso is of course the iso in question. compare the command output with those pages and you'll know if it's genuine.

EDIT: I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:

Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?

there is, I answered that in my main answer

How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?

the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones: dig releases.ubuntu.com dig @208.67.222.222 releases.ubuntu.com dig @8.8.8.8 releases.ubuntu.com All of them should render the same results. For rootkit, the only way is to check ISO against checksums, which I already described.

So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?

This question ignores the fact that: - GPG keys can be fetched securely via hkps server: gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092 - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2 Which OP seems to ignore (while saying he read that before):

Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded! HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)

What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with casual user phrase.

While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains

I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.

Jan Myszkier
  • 1,283
  • You either didn't read or didn't understand my question. I address all the methods used in this tutorial. The thing is, if you don't have a valid web-of-trust for GPG, getting a random public key over hkp provides zero security and the whole process is just security theater. This is the problem I want addressed. – Vasilis Papadimitriou Nov 23 '18 at 16:00
  • updated my answer that addresses the problem – Jan Myszkier Nov 23 '18 at 16:11
  • The files you provided are stored in http and not in https and therefore not an answer. OP asks for a secure way to get the checksums. – Turtle10000 Nov 23 '18 at 16:14
  • 3
    https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu is available over HTTPS and contains the actual key fingerprints you can verify. I admit that perhaps it could point out that it is the real key fingerprints you should be verifying, and not just some output that looks like that. Then again, if you don't know to do that, you probably don't know to trust the instructions on that page over some other instructions on the Internet to which you don't have a trust path. – Robie Basak Nov 23 '18 at 16:17
  • @Turtle10000 bad news for you man: see the source of the download page: https://www.ubuntu.com/download/desktop/thank-you?country=PL&version=18.04.1&architecture=amd64 and guess where you're downloading the iso from? <meta http-equiv="refresh" content="3;url=http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso"> Yes, that's HTTP source. If OP is secure enough with downloading the iso from official; site, you can also trust the http releases.ubuntu.com key information ;) – Jan Myszkier Nov 24 '18 at 19:07
  • @janmyszkier That's the point of the checksums. You can download the iso via an unsecure connection and then check the checksum to validate whether it has been compromised or not - as long as you can be sure the checksum is valid. If both are obtained via an unsecure connection, the check is worthless. And that is exactly what OP is complaining about, as there's no secure source for the checksum. – Turtle10000 Nov 24 '18 at 23:29
  • @JanMyszkier Hey so your comment is from 2018, so what about now, so right now in 2024 when I download the Ubuntu ISO from the official Ubuntu website is it over https? Surely it's https right? Hasn't the entire internet moved over to https by now? – SpaceX Dec 28 '24 at 08:14
  • @Turtle10000 "And that is exactly what OP is complaining about, as there's no secure source for the checksum." Hey it's 2024, it's been fixed now right? The official Ubuntu website is now https right? I mean I get my Ubuntu hash value here, it says it's https https://releases.ubuntu.com/ so it's been fixed now right? It's secure now right? – SpaceX Dec 28 '24 at 08:18
2

If you're willing to trust HTTPS for this, the GPG key fingerprints are available via both:

https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3

and

https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu

Thanks

sarnold
  • 1,976
  • 17
  • 20