These are part of the coreutils and gnupg packages, which are installed by default. If you are using bash on Windows 10 why on earth not? See this tutorial , these tools are part of the default install.
You can install the latest GnuPG using Homebrew :. The shasum program and other useful utilities are provided by coreutils :. Your mileage may vary, but these are standard tools included and enabled by default in most systems. If this is the first time you have run gpg , this will create a trust database for the current user. Both these commands should output some version information. Now we have the tools we need, we can move on to finding and downloading the files we need.
Alongside the actual ISO files containing the Ubuntu image you downloaded, all Ubuntu mirrors publish some extra files. The ones we are interested in are called:. It is usually convenient to download these at the same time as downloading the distro.
The SHASUMS file contains checksums for all the available images you can check this by opening the file where a checksum exists - development and beta versions sometimes do not generate new checksums for each release. In the next step we will use this signature file to verify the checksum file. Depending on your platform, you may or may not need to download the public key used to authenticate the checksum file Ubuntu and most variants come with the relevant keys pre-installed.
The easiest way to find out if you need the key is to run the authentication command:. If there is no public key for Ubuntu already present, you will get an error message similar to the following:. This is actually a really useful message, as it tells us which key or keys were used to generate the signature file. This is done with the following command.
Note that the ID numbers are hexadecimal, so we prefix them with 0x :. This command should retrieve the keys we want and add them to your keyring. You should see a message like this:.
If you want to know more about signing keys and trust, you can check out the Ubuntu community GPG wiki page. Alongside the actual ISO files containing the Ubuntu image you downloaded, all Ubuntu mirrors publish some extra files.
The ones we are interested in are called:. It is usually convenient to download these at the same time as downloading the distro. Note - some people question that if the site they are downloading from is not secure many archive mirrors do not use SSL , how can they trust the signatures?
The SHASUMS file contains checksums for all the available images you can check this by opening the file where a checksum exists - development and beta versions sometimes do not generate new checksums for each release. In the next step we will use this signature file to verify the checksum file.
Depending on your platform, you may or may not need to download the public key used to authenticate the checksum file Ubuntu and most variants come with the relevant keys pre-installed. The easiest way to find out if you need the key is to run the authentication command:. If there is no public key for Ubuntu already present, you will get an error message similar to the following:.
This is actually a really useful message, as it tells us which key or keys were used to generate the signature file.
This is done with the following command. Note that the ID numbers are hexadecimal, so we prefix them with 0x :. This command should retrieve the keys we want and add them to your keyring. You should see a message like this:. If you want to know more about signing keys and trust, you can check out the Ubuntu community GPG wiki page. Now that we have verified the checksum file was created by Ubuntu, we can check that the ISO file we downloaded matches the checksum.
Then run the following commands in a terminal. If you get no results or any result other than that shown above then the ISO file does not match the checksum. This could be because the ISO has been altered, or it downloaded incorrectly - either way you should download a fresh ISO from a known good source. Ubuntu and Canonical are registered trademarks of Canonical Ltd.
Tutorials How to verify your Ubuntu download.
0コメント