How to verify Ubuntu iso with md5sum

Colin Watson cjwatson at ubuntu.com
Tue May 22 15:12:13 BST 2007 

On Sun, May 20, 2007 at 11:16:46AM +0100, Matt Zimmerman wrote:
> On Sun, May 20, 2007 at 10:59:45AM +0100, Matthew East wrote:
> > The download page on the website currently points to this page as a
> > guide to how to verify that a download has been successful:
> > 
> > https://help.ubuntu.com/community/HowToMD5SUM
> > 
> > That page in turn references:
> > 
> > https://help.ubuntu.com/community/UbuntuHashes
> > 
> > which contains a list of all the various hashes.
> > 
> > This page is supposed to be an officially acceptable and secure list and
> >  (unlike other wiki pages) is not open to all to edit. It is however
> > quite annoying to maintain :)
> > 
> > I was talking with Colin and he expressed a concern at this approach. He
> > preferred an approach which explains how to verify the md5sums using the
> >  MD5SUMS.gpg file. Does everyone agree?
> > 
> > If so, can someone look at the former wiki page and update it with
> > instructions to do this?
> > 
> > When done, we can then nuke the UbuntuHashes page.
> 
> I suppose it depends on the purpose these instructions are meant to serve.
> If it's only to verify the integrity of the download, then we can change it
> to include instructions referring to the MD5SUMS file in each release
> directory.  On the other hand, if it's meant to provide security, ensuring
> that the user didn't obtain a maliciously modified ISO, then UbuntuHashes
> provides a much more accessible solution (being a cryptographically
> authenticated web page) than verifying the GPG signature on MD5SUMS.
> 
> It should be possible to arrange for the MD5SUMS files to be automatically
> concatenated and served over HTTPS to provide a low-maintenance replacement
> for UbuntuHashes.

I'm told that it's there for security more than for integrity;
apparently it was instituted after some users complained that
http://releases.ubuntu.com/dapper/MD5SUMS and the like were served over
HTTP rather than HTTPS, and serving all of releases.ubuntu.com over
HTTPS would hammer the relevant machines in a way that our sysadmins
aren't prepared to accept.

My main concerns with UbuntuHashes are:

  * Maintainability. Matthew points this out too; my specific concern is
    that the CD image team should be able to update it, and ideally it
    should be updated automatically.

  * The difference between UbuntuHashes, a wiki page with very
    restricted edit access served over HTTPS, and any of the other wiki
    pages on wiki.ubuntu.com and help.ubuntu.com with similar styling is
    subtle - you have to spot the "Immutable Page" at the top - and
    certainly not obvious to the casual observer (in fact, I missed it
    when I first heard about this page a few weeks ago). Since we're in
    the realm of malicious modifications here, I am concerned that it
    would be pretty easy to construct a similar-looking trojan: for
    example, https://wiki.ubuntu.com/community/UbuntuHashes does not
    exist at the moment.

I acknowledge that verifying the GPG signature isn't the most accessible
solution.

I spoke with James Troup about this a few weeks ago, and we came up with
the possibility of making just MD5SUMS* available from
releases.ubuntu.com by way of some other virtual host accessible over
HTTPS, and putting links on all mirrors of releases.ubuntu.com pointing
to that. It would certainly be possible to have it presented in a
prettier but still automatically-generated format.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-devel mailing list