Signed checksum

Hi,

is there a signed checksum for the Zorin-OS-15.3-Education-Lite-64-bit.iso available?
I'm not asking for the provided checksum which isn't signed.

Regards,
Ralf

Ralf, perhaps I am not properly understanding your question.
The 256sha can be viewed here:

Scroll down to View sha256 checksums and click the Plus Sign.
To be certain, I downloaded a copy of the Zorin OS 15.3 Education Lite 64bit and verified the checksum - which matched.

3 Likes

SHA256 Checksum for Zorin OS 15.3 Education LITE 64-bit...

a4d9153c3c0c7b15ff00d5ffd7c6d11aed88a6d90c971822dc9f1ef7b450346f


2 Likes

Hi,

as already mentioned by my initial post, I'm aware of the checksum.
That wasn't my question. I'm asking for a signature.

Since Zorin OS is based upon Ubuntu, see.

Since Zorin OS is available by a kernel.org mirror, see.

The misunderstanding already explained by another forum's thread, see.

Regards,
Ralf

A digital signature, for example, using gpg --verify SHA256SUMS.sign, is a hash or Checksum.

The forum you linked to provided all the same answers I would have.
Zorin OS is not unsigned as your O.P. stated.
You specifically said:

This is not the case.

The packages for ZorinGroup are signed using the ZorinGroup gpg fingerprint. Every Single Package uploaded by the ZorinGroup is signed using the gpg fingerprint.

If you wish to verify the Signature itself, you must download and verify the Zorin OS Source Package, not on the .iso. I must point out that this will not show you the signature - it will only verify it and show you a hash.

The .iso uses the 256sha, which is the same function; making the above a redundant action.

4 Likes

Hi,

you are mistaken. Installing from the ISO, without checking the ISO against a signed checksum, does inherit the risk to install a modified ISO. A modified installer already could harm. Package signing is completely unrelated to this issue. A modified ISO, verified against a modified unsigned checksum grants absolutely nothing, hence it's common practise to use signing.

Checksums are not related to security. The security measure is the signing.

You should read the 3 provided links more carefully. Your reply is contrary to the forum's replies.

I'm a computer dino who knows what he's talking about. Please don't spread misinformation. Actually you don't know me, so don't care about my claims, but since Zorin OS is based upon Ubuntu, you might want to take an educated guess, thinking about the reason why Ubuntu does sign the checksums, instead of just providing unsigned checksums.

Regards,
Ralf

Aravisian tried to help you Ralf, he went out of his way to provide links. You can learn a lot by reading the Zorin FAQ.
https://forum.zorin.com/faq

There is a lot of helpful materials there, much of which could answer many questions you might have.

Regardless of how smart someone is, humility teaches, there is always much to learn. Ponder on that you will.


4 Likes

Hi,

it's not helpful to claim that a sha256 checksum and signed packages make signing the ISO's checksum redundant. This is plain wrong. It's a security risk. False modesty when knowing better is inappropriate and doesn't help the FLOSS community.

If somebody else should be interested in security, too, I'll continue on Ubuntu Users.

Regards,
Ralf

Hi,

for the time being I'll go for

$ wget https://get.debian.org/cdimage/release/current/amd64/iso-bd/{{SHA256SUMS,SHA512SUMS}{,.sign},debian-edu-11.1.0-amd64-BD-1.iso} 

Index of /cdimage/release/current/amd64/iso-cd

How can I verify my download is correct and exactly what has been created by Debian?

There are files here (SHA512SUMS, etc.) which contain checksums of the images. These checksum files are also signed - see the matching .sign files. Once you've downloaded an image, you can check:

  • that its checksum matches that expected from the checksum file; and
  • that the checksum file has not been tampered with.

For more information about how to do these steps, read the verification guide.

Maybe Zorin OS does consider to provide signed checksums in the future.

Regards,
Ralf

1 Like

I am not mistaken, Ralf, I deal with these same signature requirements that the ZorinGroup does.
The Checksum IS a signature.
You are falsly claiming that the Zorin OS .iso is unsigned.
This is False.

Yes, there is a remote risk that a man-in-the-middle attack could change that signature; but that risk is just as valid that they can change any other signature. That risk is always present, no matter what. It is also an exceptionally low risk; as it is very difficult to do.
This topic was also covered in the thread you linked to.
By downloading from the Zorin Site and by checking the Checksum which IS a signature, users can verify safely that their copy of Zorin OS is unmodified and valid.
Period.

This statement is false and demonstrates that you do not understand how the hash and checksums work. In so doing, in your assumptions, you are promoting False Statements about Zorin on the Zorin Forum.

They are not. You are seeing only what you want to see and excluding any point that does not agree with your preconceptions.

Then you should be well aware that what I said was accurate. You can verify and hash the Signed Source files for Zorin OS. They are provided.
It says the same thing in what you quoted:

Which I pointed out above before you quoted this:

These statements remain accurate.

Furthermore, any upload - any upload - of the Zorin OS Packages to the repository requires the digital signature that the ZorinGroup Uses.

Your lack of understanding of how this works, combined with your assumption that if you, personally, do not know how to do it means that it does not exist is illogical and is the source of any misinformation being spread.
If you persist, I will need to close the thread to prevent your furthered spread of misinformation.

5 Likes

In case of if the .iso is modified and the checksum is modified, let's first start with the basic and use logic.

IF you downloaded ANY program (whether an OS or simple program whatever it is) FROM its OFFICIAL WEBSITE, does it a modified version or an official version? IS IT LEGIT?

Then, if the USER don't TRUST the OFFICIAL WEBSITE to release the OFFICIAL VERSION, and think its a MODIFIED VERSION, where do you think the official version will come from?

5 Likes

Well said.
I think that this is a case of the O.P. being overly-enthusiastic about security; stretching possibilities into stretching credulity.

There is an upper limit where everything is suspect of being corrupted or modified.
If a user wishes to view the world through this lens, they have every right to do so. But they do not get to conclude that if they did not see a file; it therefor does not exist. I have never petted a Giraffe.
That doesn't make them not exist.

(And as a matter of safety, it probably would be wise to not pet a giraffe.
Not saying I wouldn't... Just saying it would be wise not to...)

5 Likes

The OP is an Arch user. They are known to be quite zealous in their opinions.

It takes character to recognize humility: As Neil DeGrasse Tyson suggested, "understand the difference between what you know and what you think you know."

Then after an explanation from both Aravisian and I, the OP persisted in pushing his initial claim.

We know it is probably best to close the thread, because the OP is not going to back down. We are also aware the OP started a topic thread in the Ubuntu forums.

But we can't control what happens on the Ubuntu forums, or Arch forums. But what can control what happens on the Zorin forum. Aravisian, I recommend closure of thread.


I corrected a typo in your above post.

That said, I would prefer to avoid closing the thread as that can present the appearance of closing out opposition. This is why I openly addressed this above: I would have to close the thread if the thread misrepresents the reality of Zorin OS.

It is entirely possible that the O.P. and I define terms in a different way that leads to a misunderstanding and having the thread open allows for understanding to be reached.

It can only be closed if either a Heated Argument is Imminent or it is made clear that understanding cannot be reached without fighting or with only fighting.

4 Likes

Arriving at the Zorin homepage you are presented with a lock in the address bar... the site is using https, a site created by the Zorin's. Then you access their download servers, also providing a secure connection.... checking the signature based checksum. Where is the lack of security and chance for modification? If that paranoia gets any stronger you may as well kiss the internet goodbye.

This os, downloaded from the Zorin.com site, is unaltered in any way. Should the hash result not match it would be due to corruption and you should redownload the iso.

There are many modified versions of all os's available online... but from the developers site, no.

3 Likes