4

I want to download and verify the ISO of lubuntu. The problem is I can't find a secure channel in the first place. The official ISO here is being downloaded with http (not https). Of course I can download and then verify the hash, but the only place I can find the hashes is here, which is also insecure http.
Any way to securely download the ISO?

Edit:
The proposed duplicate question is not similar to my case - it talks about downloading using apt, which uses an authentication mechanism (no user action needed). My questions is about files downloaded manually, thus I must authenticate the files by myself.

Jona
  • 143

1 Answers1

5

You can download all the official Ubuntu and Ubuntu community flavour iso files (Kubuntu, Lubuntu, ... Xubuntu) via this link,

http://releases.ubuntu.com/

For Lubuntu you arrive at

http://cdimage.ubuntu.com/lubuntu/releases/

and yes, these are http (not https) URLs.

But there is a signing mechanism. The gpg-files contain signatures from Ubuntu, and they can be used to verify that the MD5SUMS or the stronger SHA256SUMS are correct.

The accepted answer at the following link describes how to verify the checksum files with all the necessary details,

verifiying ubuntu iso with repository gpg-keys

sudodus
  • 47,684