How to verify Ubuntu iso with md5sum
Matt Zimmerman
mdz at ubuntu.com
Sun May 20 11:16:46 BST 2007
On Sun, May 20, 2007 at 10:59:45AM +0100, Matthew East wrote:
> The download page on the website currently points to this page as a
> guide to how to verify that a download has been successful:
>
> https://help.ubuntu.com/community/HowToMD5SUM
>
> That page in turn references:
>
> https://help.ubuntu.com/community/UbuntuHashes
>
> which contains a list of all the various hashes.
>
> This page is supposed to be an officially acceptable and secure list and
> (unlike other wiki pages) is not open to all to edit. It is however
> quite annoying to maintain :)
>
> I was talking with Colin and he expressed a concern at this approach. He
> preferred an approach which explains how to verify the md5sums using the
> MD5SUMS.gpg file. Does everyone agree?
>
> If so, can someone look at the former wiki page and update it with
> instructions to do this?
>
> When done, we can then nuke the UbuntuHashes page.
I suppose it depends on the purpose these instructions are meant to serve.
If it's only to verify the integrity of the download, then we can change it
to include instructions referring to the MD5SUMS file in each release
directory. On the other hand, if it's meant to provide security, ensuring
that the user didn't obtain a maliciously modified ISO, then UbuntuHashes
provides a much more accessible solution (being a cryptographically
authenticated web page) than verifying the GPG signature on MD5SUMS.
It should be possible to arrange for the MD5SUMS files to be automatically
concatenated and served over HTTPS to provide a low-maintenance replacement
for UbuntuHashes.
--
- mdz
More information about the ubuntu-devel
mailing list