Getting ubuntu iso securely

J Fernyhough j.fernyhough at
Wed Sep 16 08:45:56 UTC 2015

Ah, sorry - I got lost in the nested quotation (it's what happens when
there's inconsistent top/bottom posting combined with Gmail).

So essentially the thread can be summed up with: the Ubuntu download "thank
you" page [1] needs instructions on how to verify the image has downloaded

There probably aren't any Canonical website maintainers reading this list
now, but you never know.

[1] e.g.

On 16 September 2015 at 01:50, Ryein Goddard <ryein.goddard at>

> Oh that wasn't me.  Having a downloader that actually checks to make sure
> it downloaded properly and has the correct sum is going to be more secure
> then not checking at all.  In the off chance the script/ "program" is
> hacked a long with the ubuntu ISO all hope is lost, but that is two attack
> vectors as opposed to one.  So slightly more secure having an automated
> downloader and checksum checker in my humble opinion, but you are right it
> isn't perfect and currently that way is fine for me.  I was just trying to
> offer suggestions.
> On Tue, Sep 15, 2015 at 1:32 PM, J Fernyhough <j.fernyhough at>
> wrote:
>> OK - now you've lost me.
>> Earlier in the thread you were talking about PGP keys and web-of-trust,
>> not about verifying the integrity of a downloaded file.
>> You also mentioned a 10-line script to use as a downloader. Whoever is
>> downloading the file has to use some operating system to do so, whether
>> *nix or Windows. Any Linux or Mac install has (IIRC) sha256sum. Windows
>> users can use a GUI checksum utility.
>> If you're worried about users getting corrupt downloads, this is about
>> user education, not another technology solution (to a problem that's
>> already been solved). I wrote the Manjaro beginner's guide, and noone has
>> complained they don't understand how to check their downloaded installer
>> image. If there's one group who doesn't complain about documentation, it's
>> 'newbies'.
>> On 15 September 2015 at 20:53, Ryein Goddard <ryein.goddard at>
>> wrote:
>>> If we are trying to target newbies that don't know what a sha256sum is
>>> then I highly doubt they will be running Ubuntu in order to run that
>>> command.
>>> Personally when I make an ubuntu ISO my CD burner program checks the
>>> value for it isn't an issue for me.  I am also not worried that it
>>> has been modified in transit, or my DNS requests have been spoofed.  I am
>>> more worried it hasn't been downloaded correctly.
>>> On Tue, Sep 15, 2015 at 12:48 PM, J Fernyhough <j.fernyhough at>
>>> wrote:
>>>> It's no more secure than running:
>>>> sha256sum -c ubuntu-installer.iso.shasum
>>>> or just:
>>>> sha256sum ubuntu-installer.iso
>>>> and manually checking the values match.
>>>> I'd even argue a script is less secure, as the user is running an
>>>> arbitrary script they've downloaded. It's also no more straightforward as
>>>> the user has to download and run the script. Whatever format the script is,
>>>> the user still has to set it as executable. By this point, reading a line
>>>> of instruction and running a single command is pretty trivial.
>>>> I understand what you're trying to do, I just think you're trying to
>>>> solve a problem that doesn't exist.
>>>> On 15 September 2015 at 20:40, Ryein Goddard <ryein.goddard at>
>>>> wrote:
>>>>> We are talking about a more secure method with a built in way to
>>>>> checksum that is easy for users not the Pentagon.
>>>>> On Tue, Sep 15, 2015 at 12:30 PM, J Fernyhough <j.fernyhough at
>>>>> > wrote:
>>>>>> An "open" script with an encrypted checksum? What's to stop someone
>>>>>> compromising this script during transport? You have recreated *exactly* the
>>>>>> same problem, just a level higher.
>>>>>> On 15 September 2015 at 20:27, Ryein Goddard <ryein.goddard at
>>>>>> > wrote:
>>>>>>> That part is easy because it could be a open script with probably
>>>>>>> less then 10 lines of code.
>>>>>>> On Tue, Sep 15, 2015 at 12:23 PM, J Fernyhough <
>>>>>>> j.fernyhough at> wrote:
>>>>>>>> And how would you know the Ubuntu-branded downloader is secure?
>>>>>>>> I think you're over-complicating things here. Anyone interested in
>>>>>>>> verifying a download is correct can verify the posted SHAsum, and anyone
>>>>>>>> really concerned could install from a netboot (mini.iso), check its seed
>>>>>>>> file, and download all packages from a known repo.
>>>>>>>> If you are concerned about an installer download becoming
>>>>>>>> compromised during transport then you should also be concerned about the
>>>>>>>> apt transport used - I'm assuming you set your deb sources to https? If
>>>>>>>> not, then a 'secure' installer image is moot.
>>>>>>>> J
>>>>>>>> On 15 September 2015 at 20:10, Ryein Goddard <
>>>>>>>> ryein.goddard at> wrote:
>>>>>>>>> You could add multiple sources that store an encrypted checksum
>>>>>>>>> and then reference that with an Ubuntu branded downloader.  That program
>>>>>>>>> would be pretty easy to make and it would abstract away all requirements
>>>>>>>>> for anything time consuming from the user.
>>>>>>>>> On Tue, Sep 15, 2015 at 3:53 AM, Ralf Mardorf <
>>>>>>>>> ralf.mardorf at> wrote:
>>>>>>>>>> On Mon, 14 Sep 2015 15:07:02 -0700, Ryein Goddard wrote:
>>>>>>>>>> >On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote:
>>>>>>>>>> >> On Mon, 14 Sep 2015 16:19:36 +0000 (UTC), rajeev bhatta wrote:
>>>>>>>>>> >> >It is not time consuming.. just for the user experience..
>>>>>>>>>> >>
>>>>>>>>>> >> IMHO for averaged users it is time consuming. Even a power
>>>>>>>>>> users not
>>>>>>>>>> >> necessarily deals with the right people to get a key she or he
>>>>>>>>>> can
>>>>>>>>>> >> trust, that can be used to verify ownership of the particular
>>>>>>>>>> >> public Ubuntu key.
>>>>>>>>>> >>
>>>>>>>>>> >> I am a Linux power user and I don't own a key to verify the
>>>>>>>>>> >> particular public key, that belongs to the key, that was used
>>>>>>>>>> to
>>>>>>>>>> >> sign the Ubuntu images.
>>>>>>>>>> >>
>>>>>>>>>> >> Please let me know, how I can get such a key, without spending
>>>>>>>>>> much
>>>>>>>>>> >> time ;).
>>>>>>>>>> >
>>>>>>>>>> >If a current method doesn't exist then maybe we can just create
>>>>>>>>>> one?
>>>>>>>>>> How will you make it less time consuming?
>>>>>>>>>> You need to meet other people in the real world, in addition you
>>>>>>>>>> need to know and trust those people and in addition they need to
>>>>>>>>>> trust a
>>>>>>>>>> chain of trusted keys, that confirms ownership of the public
>>>>>>>>>> Ubuntu key
>>>>>>>>>> in question.
>>>>>>>>>> This already is hard to realise for hardcore computer geeks and
>>>>>>>>>> completely illusorily for those who's centre of life isn't the
>>>>>>>>>> operating system of their computers or digital security.
>>>> --
>>>> Ubuntu-devel-discuss mailing list
>>>> Ubuntu-devel-discuss at
>>>> Modify settings or unsubscribe at:
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at
>> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Ubuntu-devel-discuss mailing list