Ubuntu 16.04 and MD5SUM check [SOLVED]

In downloading Ubuntu 16.04 I performed an MD5sum check using the usual terminal command:
md5sum ubuntu-16.04-desktop-amd64.iso
The result was agreement, so that was nice. Just be sure, though, I checked the Ubuntu web-page http://www.ubuntu.com/download/how-to-verify to make sure that I was doing the right thing. The instructions here use SHA256SUMS and SHA256SUMS.gpg files and a very complicated series of actions that is quite beyond my comprehension, involving explicit encryption commands. It’s true that MD5SUM is based upon PGP encryption, but the simple terminal command makes all that transparent to the user.
I would be grateful if a knowledgeable person would explain why the PGP route is considered necessary when the MD5SUM command appears to function perfectly well.

Many thanks

MD5 will ONLY check the integrity of a downloaded file … but it does NOT verify the downloaded file comes from a trusted source, signing the ISO and verifying it against a know public GPG key is a way to add a chain of trust that the ISO image came from the publisher.

When the Mint servers were hacked, and compromised ISO was uploaded it would have been possible for the hacker to have also changed the MD5 checksum on the website and you’d never have known because you’d be checking the ISO against the hackers MD5.

Digital signing of the ISO images themselves and then checking them against a known good and trusted public key from clem (the author) would have failed and it would have been clear that though they passed an MD5 check (against the bogus checksum) they were NOT from clem.

Peppermint do the same thing
as do Mint (and most other distros) now.

At the end of the day it’s only as necessary as your paranoia levels … but the option is there for security sake.

In short…

MD5 checksums are ONLY a check for file integrity (corruption) … they do NOT verify you’re using the right checksum.

GPG signing is both a file integrity check and a security check the file came from a trusted source.

If you’re only going to use MD5 checksums, it would be a VERY good idea to check the published MD5 is the same on multiple websites … a hacker is unlikely to have hacked multiple different servers and changed the published MD5 checksum on all of them :wink:

Thank you Mark.

Your explanation is very helpful indeed. I think the simplest option for me is, as you suggest, to check the MD5SUM on several servers. Better still: if the normal update offers an upgrade I shall accept that as it obviates the need to reload my preferred suite of software - Nero, VLC, etc.

Thank you once more.

NP Keith :slight_smile: