Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts
silver.bullet at zoho.com
silver.bullet at zoho.com
Wed Aug 12 07:39:26 UTC 2015
On Wed, 12 Aug 2015 15:17:33 +0800, Teo En Ming wrote:
>I am always afraid that I have downloaded a faked ISO file, so I try
>to verify the MD5 checksum of the ISO whenever possible.
You need a signed ISO or a signed checksum. Checking the ISO against a
checksum, while neither ISO nor the checksum are signed, is only useful
to verify, if the ISO gets corrupted by the download, but it doesn't
help to ensure that the owner of the ISO is an Ubuntu maintainer. To
check the origin of an ISO you need a public key from an Ubuntu
maintainer. To ensure that the public key really belongs to an Ubuntu
maintainer, you need at least one other public key that you trust and
that validates the open key of this Ubuntu maintainer. Comparing an ISO
with a MD5sum to ensure that the origin of the ISO isn't faked can't be
done. It's like asking an oracle, if the origin of the ISO is an Ubuntu
maintainer. IOW you could also toss a coin to verify the origin of the
ISO.
More information about the ubuntu-users
mailing list