4

I can check that an Ubuntu iso file is indeed untampered using the public keys already present and trusted in my Ubuntu system.

Now I want to switch from Ubuntu to Arch and I wonder how I can start trusting that the image downloaded for setting up Arch has not been tampered?

I know that I can use cryptographic hash functions like sha256,sha1,md5 even though that these are transmitted via the same channel (hence an attacker would just switch the hashes to fit to the tampered iso).

Now is there a strategic way out? i.e. do some distributions cross-sign their isos or public keys so that I can verify isos without leaving a trust-chain I already bought in?

As an alternative, should I redownload the md5 from different sources, on different machines and at different times to make an attack more troublesome?

is this the suggested procedure?

humanityANDpeace
  • 1,412
  • 1
  • 12
  • 24

1 Answers1

4

https://www.archlinux.org/download/ has the SHA1 hash for the ISO image as well as the distribution's PGP key. Use that to verify the authenticity of your Arch Linux download.

Since that page is hosted on an HTTPS site, that should be a reasonable guarantee that it comes from the organization to which the SSL certificate was issued. (It is possible that the website has been hacked and those checksums and signatures are false, but that would be a huge problem for The Arch Linux project.)

200_success
  • 2,144
  • 2
  • 15
  • 20
  • HTTPS is a good start, unless you have personally met at least three developers in a key signing party. – Alicia Sep 22 '14 at 12:27