[nSLUG] md5 checksum

Dop Ganger nslug at fop.ns.ca
Mon Jan 15 09:10:00 AST 2007

On Mon, 15 Jan 2007, Robert Ashley wrote:

> I downloaded an ubuntu 6.10 iso file from an American mirror site. In
> Windows I also downloaded a utility-->
> Advanced CheckSum Verifier (ACSV) v1.5.0
> The way I read the instructions, I should have got/seen/dl'd a
> checksum file from the ubuntu iso download site.
> Is it true that I can only verify checksum by having the checksum file
> from the original dl site?

No, you should be able to get the md5sum file from any of the mirror 

> Otherwise, what am I verifying?

You're verifying that what was downloaded and saved to your hard drive is 
the same as what you downloaded from the site - ie, making sure the image 
was not corrupted during the download. If (and I think this is the 
question you're really asking) you want to make sure it's an authentic iso 
as released by Ubuntu, you will need to get the gpg file and use that with 
gpg to check the md5sum file you downloaded was authentically signed, 
which you can then be reasonably sure (modulo md5sum collisions) what you 
downloaded is an authentic Ubuntu iso. Then to be *really* sure you'll 
need to get yourself on a chain of trust which will involve going to a 
keysigning party - I imagine there will be some keysigning going on at the 
Dal installfest at the end of the month, if you're really that worried 
about it.

Cheers... Dop.


More information about the nSLUG mailing list