Ubuntu

Why doesn't the Ubuntu download have a PGP signature?

Asked by Chippy

I've downloaded v.7.0.4 and was shocked that it wasn't PGP signed. How can anyone verify it's authenticity? Is this an oversight? Are your servers that secure? Given that this is an operating system, how am I to know it hasn't been 'enhanced' with a root kit? Not trying to be critical here, I'm just concerned.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Nicolas DERIVE
Solved:
Last query:
Last reply:
Revision history for this message
Best Nicolas DERIVE (kalon33) said : 		#1

you can verify it using md5sum. Open a terminal, go to the directory where the downloaded image is (using "cd path" where path is the one of the file) and type "md5sum filename" (where filename is the name of your file), wait a bit, and a group of letters and numbers is displayed. This is the MD5 signature of the file. Then, open http://releases.ubuntu.com/7.04/MD5SUMS (http://releases.ubuntu.com/7.04/MD5SUMS.gpg is the PGP signature of this file) and compare the result of the MD5 sign of the original file and the one you have, and verify that the PGP signature is the good one. It should be OK.

Hope that it helps you.

--kalon33.

Revision history for this message
Chippy (chippy122) said : 		#2

Thanks Nicolas DERIVE, that solved my question.