If I download the OS image from Ubuntu servers from a location where I can get the MITM attack and get a compromised image, then how I can check its hash to prove that its original image?
Hashes may be replaced on official site by the MiTM attacker. But it is not a problem because I can check them on an IRC channel or somewhere else.
Software that I can use for checking sums can be compromised to show the correct answer on a compromised file.
Before I asked this questions I heard that Ubuntu have PGP signed repositories so they can't be compromised but... Here is interesting thing that I read:
Quote:
If apt's sources.list file was modified, one could also redirect to a location providing malicious updates (and signed with "trusted" keys, if these have been added, altough not Ubuntu's ones).
An attacker could have changed pretty much everything, including the actual verification of OpenPGP signatures or include arbitrary malware and backdoors.
So how can be solved this dilemma?
I mean check the image on originality if I can't trust download source and we will suppose that I have not had any social connections except with websites.