Hello,
Anyone have a list of sites that can be trusted when downloading an iso. With the Linux Mint hack that happened last time, I thought it'd be a good idea to get into the practice of checking the credibility of the image.
Hello,
Anyone have a list of sites that can be trusted when downloading an iso. With the Linux Mint hack that happened last time, I thought it'd be a good idea to get into the practice of checking the credibility of the image.
From the Terminal :
sha1sum filename.iso
and
cksum filename.iso
or the md5sum
md5sum /path/to/the/ISO/Fedora-Python-Classroom-Live-x86_64-26_Alpha-1.7.iso
and a more secure :
sha256sum /path/to/the/ISO/Fedora-Python-Classroom-Live-x86_64-26_Alpha-1.7.iso
You can get the hash the copy and paste them into a text file.
Thanks so much for this. I was able to find it and compare very easily.
Are there external sites that also posts those hashes in case those also get changed. I'd imagine if the hacker can change the down load link, they can also change what the hash is too. The whole issue was the mint download page was hacked to direct users else where, so I don't see it taking much effort to compromise the hash too.
Here's the thing, The Mint hack was due to vulnerabilities in the Webpage. Once they got access to the Webpage, they changed the md5sum of the .iso, in that scenario it is very difficult to figure out what was real and what was not. some time you see gpg keys to authenticate downloads, or you can just download a torrent ( the torrent uses a hash to know what the file is and to authenticate it ) Also, using sha256sum is being used more since there are no known collisions in it yet. ( meaning someone can change a file's hash and modify it by padding it to generate the same hash)
Well what I'm saying is, is there a site the compiles a list of hashes for all the popular distros so that even if the main site is compromised you have secondary sites to verify against.
Not that I know of, but most distros will have an IRC channel where you can directly ask developers, maintainers, or trusted contributors what the current hash may be.
That being said, they'll most likely direct you to the website. Also being said, if the ISO is packaged in a tar file, the hash will represent the tar rather than the actual ISO file after being unpacked.