Getting ubuntu iso securely

Ryein Goddard ryein.goddard at
Tue Sep 15 19:53:28 UTC 2015

If we are trying to target newbies that don't know what a sha256sum is then
I highly doubt they will be running Ubuntu in order to run that command.

Personally when I make an ubuntu ISO my CD burner program checks the value
for it isn't an issue for me.  I am also not worried that it has
been modified in transit, or my DNS requests have been spoofed.  I am more
worried it hasn't been downloaded correctly.

On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough <j.fernyhough at>

> It's no more secure than running:
> sha256sum -c ubuntu-installer.iso.shasum
> or just:
> sha256sum ubuntu-installer.iso
> and manually checking the values match.
> I'd even argue a script is less secure, as the user is running an
> arbitrary script they've downloaded. It's also no more straightforward as
> the user has to download and run the script. Whatever format the script is,
> the user still has to set it as executable. By this point, reading a line
> of instruction and running a single command is pretty trivial.
> I understand what you're trying to do, I just think you're trying to solve
> a problem that doesn't exist.
> On 15 September 2015 at 20:40, Ryein Goddard <ryein.goddard at>
> wrote:
>> We are talking about a more secure method with a built in way to checksum
>> that is easy for users not the Pentagon.
>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyhough at>
>> wrote:
>>> An "open" script with an encrypted checksum? What's to stop someone
>>> compromising this script during transport? You have recreated *exactly* the
>>> same problem, just a level higher.
>>> On 15 September 2015 at 20:27, Ryein Goddard <ryein.goddard at>
>>> wrote:
>>>> That part is easy because it could be a open script with probably less
>>>> then 10 lines of code.
>>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <j.fernyhough at>
>>>> wrote:
>>>>> And how would you know the Ubuntu-branded downloader is secure?
>>>>> I think you're over-complicating things here. Anyone interested in
>>>>> verifying a download is correct can verify the posted SHAsum, and anyone
>>>>> really concerned could install from a netboot (mini.iso), check its seed
>>>>> file, and download all packages from a known repo.
>>>>> If you are concerned about an installer download becoming compromised
>>>>> during transport then you should also be concerned about the apt transport
>>>>> used - I'm assuming you set your deb sources to https? If not, then a
>>>>> 'secure' installer image is moot.
>>>>> J
>>>>> On 15 September 2015 at 20:10, Ryein Goddard <ryein.goddard at>
>>>>> wrote:
>>>>>> You could add multiple sources that store an encrypted checksum and
>>>>>> then reference that with an Ubuntu branded downloader.  That program would
>>>>>> be pretty easy to make and it would abstract away all requirements for
>>>>>> anything time consuming from the user.
>>>>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>>>>>> ralf.mardorf at> wrote:
>>>>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>>>>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>>>>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote:
>>>>>>> >> >It is not time consuming.. just for the user experience..
>>>>>>> >>
>>>>>>> >> IMHO for averaged users it is time consuming. Even a power users
>>>>>>> not
>>>>>>> >> necessarily deals with the right people to get a key she or he can
>>>>>>> >> trust, that can be used to verify ownership of the particular
>>>>>>> >> public Ubuntu key.
>>>>>>> >>
>>>>>>> >> I am a Linux power user and I don't own a key to verify the
>>>>>>> >> particular public key, that belongs to the key, that was used to
>>>>>>> >> sign the Ubuntu images.
>>>>>>> >>
>>>>>>> >> Please let me know, how I can get such a key, without spending
>>>>>>> much
>>>>>>> >> time ;).
>>>>>>> >
>>>>>>> >If a current method doesn't exist then maybe we can just create one?
>>>>>>> How will you make it less time consuming?
>>>>>>> You need to meet other people in the real world, in addition you
>>>>>>> need to know and trust those people and in addition they need to
>>>>>>> trust a
>>>>>>> chain of trusted keys, that confirms ownership of the public Ubuntu
>>>>>>> key
>>>>>>> in question.
>>>>>>> This already is hard to realise for hardcore computer geeks and
>>>>>>> completely illusorily for those who's centre of life isn't the
>>>>>>> operating system of their computers or digital security.
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Ubuntu-devel-discuss mailing list