Results 1 to 3 of 3

Thread: Verification of iso image

Hybrid View

  1. #1
    Join Date
    Apr 2017
    Beans
    54

    Verification of iso image

    Maybe I am missing something in the aspect security in regards to verifying the download. The site (releases.ubuntu.com) where you download the signature file and the hash file needed for verification does not appear to use any type of encryption. Doesn't this subject the site to a Man in the Middle Attack? Can someone explain this to me so I have an understanding or am I wrong here to suggest the site is not secure? Thank-you for your understanding of my ignorance.

  2. #2
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    13,596
    Distro
    Ubuntu

    Re: Verification of iso image

    You use the sha256sum.gpg file to verify the authenticity of the sha256sum checksum for the ISO.
    https://ubuntu.com/tutorials/how-to-...ntu#1-overview
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  3. #3
    Join Date
    Apr 2017
    Beans
    54

    Re: Verification of iso image

    Quote Originally Posted by deadflowr View Post
    You use the sha256sum.gpg file to verify the authenticity of the sha256sum checksum for the ISO.
    https://ubuntu.com/tutorials/how-to-...ntu#1-overview
    Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded!



    thank-you

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •