On Wed, Jun 05, 2019 at 12:13:54AM -0000, Thomas Mayer wrote: > I'd like to sum it up like this: Users should _download_ from a mirror > but they should neither _trust_ the download of the mirror nor the > checksums a mirror provides.
Users can trust checksums provided by mirrors because we publish signatures on the SHA256SUMS files. If the user has a copy of GnuPG that they trust, they can use it to verify the SHA256SUMS file. We've published instructions on how to do this at: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3 > It's even the other way round: Having mirrors in the game makes it _even > more_ important that checksums are provided by Canonical and that the > user can verify both integrity _and_ origin (=> Canonical's domain) of > the _checksums_. That's what TLS provides (besides encryption) when done > right. Because the SHA256SUMS files are generated and signed by us, they're going to be identical across all mirrors -- at least among the mirrors that keep up to date. It doesn't matter where the checksums and signatures are retrieved from, so long as they are fresh. It is difficult to determine what exactly "fresh" means, but GnuPG will report the time that a signature was created: $ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Fri 15 Feb 2019 08:32:38 AM PST gpg: using DSA key 46181433FBB75451 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <[email protected]>" [full] gpg: Signature made Fri 15 Feb 2019 08:32:38 AM PST gpg: using RSA key D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [full] Double-checking the desired image against e.g. https://wiki.ubuntu.com/Releases to find out when the signatures should have been created is about the only way to address the freshness problem. That is a slight wrinkle of using mirrors rather than Ubuntu's own infrastructure. Someone using our archives directly could skip this check. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
