Hi. I am a seasoned Linux user of 20 years having tried numerous distros. I would like to try Zorin OS but you do not provide a signature file. You provide the SHA256sum which checks the integrity of the ISO but this does not check the authenticity of the ISO. You need a signature file for this. I did see someone called Ralf approach you with the same question several years ago. All the major distros provide the signature file so users can use GPG to verify the ISO. A user in the Ralph thread suggested he was being ultra paranoid but he wasn't. Linux Mint was hacked in 2016. They replaced the download ISO link to a malicious site which gave an ISO with a back door in it. You can read this on the Linux Mint Blog. If they can hack the ISO download link then they can easily change the SHASUM. The only thing that would protect you in this situation would be a signature file. You use GPG to verify the signature file. You then use the signature file to check the ISO or the SHASUM.
Please can you provide this verification to reassure users. Thanks for your help in this matter.
1 Like
Welcome to the Forum!
When someone WOULD manipulate the ISO then the ISO would have a different Checksum, yes. But the Checksum stands on the Website. So, the Hacker must change the Checksum on the Website too.
1 Like
Sorry, I forgot a Point: The .gpg file doesn't verify the ISO. It verifies the shasum File. The shasum File is sha265sum.txt and the gpg File is shasum256sum.txt.gpg
In the Help Section for verifying the Checksum is written:
To verify the authenticity of sha256sum.txt, check the signature of sha256sum.txt.gpg by following the steps below.
So, the Checksum File says that the ISO is good and the gpg File says that the Checksum File is good.
Good morning Ponce-De-Leon and thank you for taking the time to answer my question. From what I understand any type of file can be signed using GPG, allowing users to verify that the file has not been tampered with and that it comes from the expected source, providing the developer has signed the file. But saying that it would make no sense to check the ISO as you say because you still have to check the SHASUM's authenticity to check the ISOs integrity which would be enough validation.
I think this would be a much welcomed addition. The signing process can be easily automated, so it shouldn't take too much work to publish this information since the signing keys don't need to be updated that often.
Although it's worth pointing out, regarding the Linux Mint breach, that it was only the website that was compromised. All other download sources i.e., torrents, mirrors, etc. were unaffected.
I have the feeling that most people download from the website though, but it's an important distinction as this could still give the community the ability to cross check the ISOs relatively quickly.