Is there any way to verify a Ubuntu iso or hashsum via HTTPS?

Question

Neither the ISO nor the hashsum is available via HTTPS. Is there any way to verify you're not getting man-in-the-middled?

Answer 1

The hashes and iso's are only provided via http, so md5sum-checking is insufficient. As @Doug Smythies explained in a comment on a deleted answer:

We (the Ubuntu Doc team) no longer maintain the https page, because it is pretty much impossible to do so. The people with the ability to do an https page won't.

However, Ubuntu's gpg fingerprints are available via https here.

TLDR

1. Download MD5SUMS and MD5SUMS.gpg for the relevant release.
2. Verify the MD5SUMS with the MD5SUMS.gpg and check that the fingerprint is the same as on this web page.
3. Verify the iso with the MD5SUMS.

Answer 2

Whilst Canonical isn't providing HTTPS some of the officially recognized 3rd-party mirrors do, so that may be a viable alternative. Even without HTTPS you can always compare the checksums provided by several different mirrors (that you recognize) to help decrease the odds of a MITM (Man In The Middle).

List of Official 3rd-Party Mirrors CAPABLE of HTTPS:

(remove the - from h-ttps, only put there because too many urls)

• https://free.nchc.org.tw/ubuntu-cd/
• https://ftp.fau.de/ubuntu-releases/
• https://ftp.heanet.ie/pub/ubuntu-releases/
• https://ftp.lysator.liu.se/ubuntu-releases/
• https://ftp.rnl.tecnico.ulisboa.pt/pub/ubuntu/releases/
• https://ftp.sjtu.edu.cn/ubuntu-cd/
• https://ftp-stud.hs-esslingen.de/pub/Mirrors/releases.ubuntu.com/
• https://ftp.ucsb.edu/pub/mirrors/linux/ubuntu/
• https://ftp.yzu.edu.tw/Linux/ubuntu-releases/
• https://lug.mtu.edu/ubuntu-iso/
• https://mirror.aarnet.edu.au/pub/ubuntu/releases/
• https://mirror.beget.ru/ubuntu-releases/
• https://mirror.cedia.org.ec/ubuntu-releases/
• https://mirror.csclub.uwaterloo.ca/ubuntu-releases/
• https://mirror.hmc.edu/ubuntu-releases/
• https://mirror.imt-systems.com/ubuntu/
• https://mirror.kku.ac.th/ubuntu-releases/
• https://mirror.one.com/ubuntu-cd/
• https://mirror.picosecond.org/ubuntu-releases/
• https://mirrors.bloomu.edu/ubuntu-releases/
• https://mirrors.cat.pdx.edu/ubuntu-releases/
• https://mirrors.koehn.com/ubuntureleases/
• https://mirrors.ocf.berkeley.edu/ubuntu-releases/
• https://mirror.stjschools.org/public/ubuntu-release/
• https://mirrors.tripadvisor.com/releases/
• https://mirrors.tuna.tsinghua.edu.cn/ubuntu-releases/
• https://mirrors.ustc.edu.cn/ubuntu-releases/
• https://mirrors.xmission.com/ubuntu-cd/
• https://mirror.umd.edu/ubuntu-iso/
• https://mirror.vorboss.net/ubuntu-releases/
• https://mirror.yandex.ru/ubuntu-releases/
• https://ubuntu.koyanet.lv/releases/
• https://ubuntu.localmsp.org/ubuntu-releases/
• https://ubuntu.tuxuri.com/releases/
• https://ubuntu.uni-sofia.bg/releases/
• https://ubuntu.vxroutes.com/
• https://www.mirrorservice.org/sites/releases.ubuntu.com/

In future, for those whom don't fancy checking mirrors by hand for HTTPS, you can use Https Finder, which was the tool used to find these mirrors.

Answer 3

You can download your favorite ubuntu from here: http://www.ubuntu.com/download/desktop

and you can see the md5 checksum from here: http://releases.ubuntu.com/14.04/

Infact 2nd link contains all the .iso and the md5 checksums.

Look for this link for verifying the .iso file

I will suggest go for Ubuntu desktop 14.04 LTS(Long term support).