What's a good site to check if your linux installer image is good?

Mr_UNOwen · June 1, 2017, 11:48pm

Hello,

Anyone have a list of sites that can be trusted when downloading an iso. With the Linux Mint hack that happened last time, I thought it'd be a good idea to get into the practice of checking the credibility of the image.

Novasty · June 2, 2017, 12:19am

Most Linux distros release a hash with their ISOs

Take that hash and compare:

Hammerhead_Corvette · June 2, 2017, 12:27am

From the Terminal :

sha1sum filename.iso

and

cksum filename.iso

or the md5sum

md5sum /path/to/the/ISO/Fedora-Python-Classroom-Live-x86_64-26_Alpha-1.7.iso

and a more secure :

sha256sum /path/to/the/ISO/Fedora-Python-Classroom-Live-x86_64-26_Alpha-1.7.iso

You can get the hash the copy and paste them into a text file.

corpse_painted · June 2, 2017, 12:37am

Thanks so much for this. I was able to find it and compare very easily.

Mr_UNOwen · June 2, 2017, 12:37am

Are there external sites that also posts those hashes in case those also get changed. I'd imagine if the hacker can change the down load link, they can also change what the hash is too. The whole issue was the mint download page was hacked to direct users else where, so I don't see it taking much effort to compromise the hash too.

Hammerhead_Corvette · June 2, 2017, 12:48am

Here's the thing, The Mint hack was due to vulnerabilities in the Webpage. Once they got access to the Webpage, they changed the md5sum of the .iso, in that scenario it is very difficult to figure out what was real and what was not. some time you see gpg keys to authenticate downloads, or you can just download a torrent ( the torrent uses a hash to know what the file is and to authenticate it ) Also, using sha256sum is being used more since there are no known collisions in it yet. ( meaning someone can change a file's hash and modify it by padding it to generate the same hash)

Mr_UNOwen · June 2, 2017, 1:21am

Well what I'm saying is, is there a site the compiles a list of hashes for all the popular distros so that even if the main site is compromised you have secondary sites to verify against.

Indolent · June 2, 2017, 2:31am

Not that I know of, but most distros will have an IRC channel where you can directly ask developers, maintainers, or trusted contributors what the current hash may be.

That being said, they'll most likely direct you to the website. Also being said, if the ISO is packaged in a tar file, the hash will represent the tar rather than the actual ISO file after being unpacked.