0

When downloading a Linux installer iso, the user is supposed to check the iso with sha or m5sum and compare the result against a checksum file, and then check the gpg signature of the checksum file.

If I understand it right, the checksum is to test for iso integrity (iso not corrupted) and that gpg checks that the checksum was not manipulated. So why is the iso itself not signed?

Benchukee
  • 3
  • 1
  • 1
    I've found that most Linux installer ISOs _are_ signed. What distribution are you trying to install? – forest May 03 '21 at 01:36
  • @forest Ubuntu at least doesn't sign the ISO itself. It releases another file with the sha256sums of the ISO and a detached signature of the checksums file. – nobody May 03 '21 at 01:45
  • @nobody Yeah that's how most systems release their ISOs. I just re-read OP's question and realized he already knew that. Oops. – forest May 03 '21 at 01:46
  • Welcome to the Security Stack Exchange! Thanks for posting. I think this question needs more context. You say the user is supposed to take an action; "supposed to" is according to whom? Is this a theoretical scenario or are you asking about a specific installer? – securityOrange May 03 '21 at 02:04

2 Answers2

1

It's faster and easier for the vast majority of users to just use sha1sum or md5sum than to import the GPG key and check it.

And if an attacker could change the hashes on the official site, the same attacker would be able to change the keys there too.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 1
    It might be useful to note that neither SHA-1 nor MD5 are considered secure for this purpose anymore. – forest May 03 '21 at 01:47
  • +1. OP, WRT, "And if an attacker could change the hashes on the official site, the same attacker would be able to change the keys there too", hopefully the signer(s) store their private signing keys offline to prevent this. An attacker who is able to modify the ISO file can then easily modify the checksum file as well, if hosted on the same server. But, this will break the signature. If the checksum file is signed using an offline private key, the attacker can not create a new signature. This is why it's important to not just verify the hash in the checksum file, but also verify the signature. – mti2935 May 03 '21 at 13:05
1

In addition to what @ThoriumBR said, if the distro releases a checksum file and signs it, they have to sign just one file. If instead they signed each ISO/image separately, they would end up having to sign lots of files (since they have to release a separate ISO for every version and every architecture). For example, have a look at the Ubuntu 18.04 checksums file. It has the checksums for 44 different iso and .img.xz files. Signing each of these 44 files independently would be a waste of time for the Ubuntu maintainers and their download page would be cluttered with 44 extra signature files (the signature has to be detached or otherwise the ISOs won't be directly usable).

nobody
  • 11,251
  • 1
  • 41
  • 60