With the current fervor about compromised ISO images, lots of people (including me) are saying that you should always verify an ISO image after downloading, and before installing. Here is a discussion of why and how to do that.
In my recent post about the handling of the security incident and compromised ISO image at Linux Mint, I said at the end that users should always verify the checksum of a downloaded image before installing it. In response I received several good comments and emails pointing out that just verifying the checksum isn't really good enough.
So what I would like to do with this post is explain a bit about what the different kinds of validation and verification are, what they are good for, and how to use them on a couple of common Linux distributions.
This might seem like a rather daunting task at first, because many users are not familiar with the concepts involved or the tools used to perform the validation. In fact, it's really a fairly easy thing to do, and it only requires three steps:
Download an ISO image, and the associated checksum and signature files. This should probably only count as a half-step, because the first part, downloading the ISO, you have already been doing if you've been running Linux.
Verify the checksum on the ISO file that you downloaded. The only thing that is slightly difficult about this is locating the reference checksum information provided by the distribution, which I will explain below.
Verify a GPG signature on one of the downloaded files. This is the part that a lot of people find intimidating, or confusing, simply because they have never had to deal with it before. But again, the verification itself is easy, the only slightly difficult part is locating the information you need to use for verification.
Those look like pretty easy steps, don't they? Now, because Linux Mint was the distribution which started this discussion, I would like to take it as an example, and look at each of these points in more detail.
On that page, you will find two things - an information block, which looks like this, and a list of download mirror sites from which you can actually download the ISO image.
In the information block you will find a line labeled MD5, this is the MD5 checksum of the ISO image file. I will discuss this in more detail below, but for now I will just say that this is no longer considered to be an adequate verification of the distribution images, so we need to look further.
The rest of the page contains a list of download mirrors all over the world. The idea is that you select a nearby mirror for the download. (Does anyone remember a long ago Usenix conference, where they sang "A Host is a Host from Coast to Coast", to the tune from Mr. Ed?)
This is where things get a bit tricky. When you click on one of these mirrors, it immediately starts to download the ISO image. That's fine, because we obviously need it, but we also need a couple of other files from the same mirror. The Linux Mint developers have said that they are going to make this easier in the near future, but for the moment you have to extract the mirror URL yourself.
If you right-click on the mirror link, you can copy the URL and paste it back into the browser address field. Then remove the name of the ISO image itself from the end, and you have the address you need - it should look something like this:
The contents of that directory will be a list of all the downloadable images, including all desktop versions and both 32-bit and 64-bit versions. Fortunately we don't have to worry about all of that, because the first click on the mirror line downloaded the specific image that we wanted.
What we are looking for now are the checksum and signature files, which are found at the end of this list. There are two different checksum files, one for MD5 checksums (md5sum.txt) and one for SHA-256 checksums (sha256sum.txt). Each of them contains a list of the checksum values for all of the ISO images in this directory.
The important thing here, though, is that there is only one GPG signature file, and that is for the SHA-256 checksum file, so those are what we want to download. Unfortunately this is the last little "trick" in this process, because with most browsers if you simply click on either the .txt files or the .sig file, it simply displays the contents of the file in the browser, rather than downloading the file. If you right-click these files, though, you can select something like "Save Link as..." (the exact text varies by browser), and then you can specify where to save it.
That's it for downloading - it wasn't too bad, was it? All we really did was download three files, one rather large and two very small. The tricky bits were just finding where to download from, and I will say at this point that Linux Mint makes this a bit more difficult than many other distributions, and then getting the browser to download the text files rather than display them.
Checksum. Verifying the checksum on a downloaded file confirms for you that the file you received was the same as the original file on the download server. In other words, it confirms that the file was not corrupted, truncated, or otherwise damaged during the download process. There has been steady progress over the years in the quality, speed and sophistication of such checks, so today there are a variety of tools available to do this.
The simplest of these which is still in common use is the MD5 checksum, such as is given on the Linux Mint Downloads page, and is included in the md5sum.txt file on the mirror. The md5sum utility is included in every Linux distribution that I use (or even know of, for that matter), so to verify it you just run this:
The result produced at the beginning of the line should be exactly the same as the value shown on the Linux Mint Downloads web page, or included in the md5sum.txt file for this image.
The use of MD5 sums has been overtaken by the more sophisticated SHA-256 (and higher) checksums. At the user level, however, the procedure is the same. As with the md5sum utility, every Linux distribution I am familiar with includes the sha256sum utility - generally as only one part of an entire family of SHA checksum utilities. So the command to use for this check is:
However, as I said above, these checksums only verify that the file you have received is exactly the same as the original file on the download server. If you think about that for a minute, you can see that there is still a significant gap - what if someone managed to replace the ISO file with a modified version containing some kind of malware, and also was able to modify or replace the checksum file so that the value there matched the modified image? Then you could download the ISO, run the checksum, verify that it was correct, and you would still not know that anything was amiss. This doesn't seem so far-fetched after the events of a few weeks ago.
Signature. In order to be sure that the ISO image has not been modified, we need to have a file that has been signed using a GPG key. There are actually two ways this can be done, because there are two files involved in the download and verification of the ISO image. The obvious way is to sign the image itself (Manjaro Linux does it this way). The alternative is to sign the checksum file, the theory here is that if the checksum of the ISO image matches what it says in the checksum file, and you know that the checksum file hasn't been modified, then you also know that the ISO file hasn't been modified.
To perform this verification, you need two things - the signed file, and the correct GPG Public Key that corresponds to the signature. For the current example of Linux Mint, we downloaded the signature file in the first step above. It turns out that Linux Mint makes life easier for us at this point, because they include the necessary Public Key in the base distribution.
The simplest way to verify the signature is to use the gpgv utility, which is a stripped-down version of the general-purpose gpg program, made only for verifying signatures. You need to give it the location of the keyfile containing the Public Key, the signature file and the original file that the signature applies to:
gpgv: Signature made Wed 06 Jan 2016 05:06:20 PM CET using DSA key ID 0FF405B2
gpgv: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <email@example.com>"
When you get this message, you are basically done! Hooray!
Experienced/knowledgeable users would point out here that there is an improved version of the GPG utilities, called gpg2. It is good practice to use the latest, presumably best, utilities, but at the moment Linux Mint 17.3 does not include gpg2 in the base distribution or the Software Manager. Oddly, Linux Mint Debian Edition does include gpg2 in the base distribution. I'm pretty sure that Clem and the Linux Mint development team will take care of this as part of their ongoing work to clean up after the security problem.
Those same knowledgeable users would probably point out that it could be better to use gpg --verify to check the signature, rather than gpgv. The difference is that gpg not only checks the signed file, it actually attempts to check the validity of the signature itself. If I use gpg on this same system, it looks like this:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
However, the concepts, actions and information necessary to do this are beyond the scope of this article. I think that this boils down to the fact that you have to choose a point at which you are willing to trust the information, and while we have said above that just verifying the checksum is not enough, I believe that accepting the validity of the Public Key in this case is not unreasonable.
Finally, a word about getting the Public Key user for the signing. In this example, we had it a little easier than usual because Linux Mint includes their key in the base distribution. Many other distributions don't do this, so you have to get the key from a trusted keyserver somewhere - and someone has to tell you where to find that keyserver. Debian GNU/Linx, for example, explains this in the Debian Public Key Server document, and they have a brief description of the ISO verification process in Verifying authenticity of Debian CDs.
In summary, if you need help or information about verifying ISO images, or where to find public keys, or anything else in this area, a quick web search will almost always turn up all the information you need. If we all start verifying the checksums and signatures on Linux distributions, we can help avoid unfortunate situations such as what happened a few weeks ago.