Sat May 16 10:20:50 2020
Last updates: Mon Jun 1 17:13:14 2020 Tue Jun 2 10:20:01 2020
Before you undertake installation of a large software system like TeX Live, it is a good idea to make sure that your downloaded ISO image file is free of network and filesystem data corruption, and that the file is authentic. The first check is done by computing two independent checksums, and the second check by verifying digital signatures. The rest of this document show how to do both simple tasks.
Most modern software distributions are checksummed and digitally signed, so the steps described here can be immediately useful for validation of other packages.
The 7.2GB ISO image, which can be burned onto high-density DVD media, is accompanied by two small files containing MD5 and SHA512 checksums. After downloading them, you can verify correctness of your local copy of the ISO image like this:
% md5sum -c texcol2020.iso.md5 texcol2020.iso: OK % sha512sum -c texcol2020.iso.sha512 texcol2020.iso: OK
Each of those commands may take minute or two to run, because they require reading the entire image file to recompute a checksum, and then match that value against the recorded checksum.
On Microsoft Windows 7, 8, and 10 in a command or PowerShell window, output looks like this:
c:> certutil -hashfile texcol2020.iso MD5 MD5 hash of file texcol2020.iso: 81 d7 54 ce 28 87 fa 8b 39 17 08 26 af a8 59 7f CertUtil: -hashfile command completed successfully. c:> certutil -hashfile texcol2020.iso SHA512 SHA512 hash of file texcol2020.iso: 97 c9 c1 fe cb 5e 49 8c 15 60 6a c1 35 b0 6d c4 2c 7b ac aa 89 17 0f 98 3b c4 ca cc 6d d5 9c 8d f4 06 8b 9d c2 d1 68 cb 1f 7e cc 60 cf b1 54 b4 ac 25 9c 9e 51 a7 6f 52 de 39 d2 fc 4a aa 79 1f CertUtil: -hashfile command completed successfully.
The hexadecimal digit pairs can be compared visually with the values in the checksum files, which record them as long strings, without spaces.
On Microsoft Windows, here are two ways to get a single long checksum string:
c:> Get-FileHash -Algorithm sha512 texcol2020.iso | Format-List Hash : 97C9C1FECB5E498C15606AC135B06DC42C7BACAA89170F983BC4CACC6DD59C8DF4068B9DC2D168CB1F7ECC60CFB154B4AC259C9E51A76F52DE39D2FC4AAA791F Path : C:texcol2020.iso c:> (get-filehash -algorithm sha512 texcol2020.iso).hash 97C9C1FECB5E498C15606AC135B06DC42C7BACAA89170F983BC4CACC6DD59C8DF4068B9DC2D168CB1F7ECC60CFB154B4AC259C9E51A76F52DE39D2FC4AAA791F
PowerShell commands are case insensitive; the first of those follows Microsoft documentation style, and the second may be easier to type.
The reason for two separate checksums, rather than just one, is that it has sometimes been shown to be possible to create a maliciously modified file with the same checksum as the original. Such an attack is unlikely, but it is effectively impossible with two or more independent robust checksum algorithms whose mathematics has been well studied by expert cryptographers from several countries.
The checksum files are digitally signed by their creator to ensure that they match the original versions. You can verify their authenticity like this:
% gpg --verify texcol2020.iso.md5.asc % gpg --verify texcol2020.iso.sha512.asc
Both commands are fast, because they only have to read a few hundred bytes.
If your system lacks the gpg command, try its successor, gpg2. Either or both versions 1 and 2 of the GnuPG software are almost universally available on modern computers, but command naming varies. Microsoft Windows systems do not have them installed by default, but you can easily do so from links at the GnuPG Web site. You then have a Windows command-line tool, gpg, plus a GUI tool, kleopatra.
If the signature creator's public key is not yet in your personal keyring, then you get output similar to this for the first of those commands:
gpg: keyserver option 'honor-http-proxy' is unknown gpg: assuming signed data in 'texcol2020.iso.md5' gpg: Signature made Sun 10 May 2020 01:45:13 AM MDT gpg: using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: Can't check signature: No public key
The last output line shows that signature verification was not possible, but the preceding line gives the key-ID 5DB...C44 that can be used to lookup the public key signature file in any of several key servers, including at least these:
If you trust this site, then you can also find a local copy of the public key here. However, using an independent source of a public key is always strongly recommended, because while an attack on one site is possible, successful attacks on distributed independent sites are highly improbable.
You can now add that newly downloaded public key file to your personal keyring like this:
% gpg --import 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44.asc gpg: keyserver option 'honor-http-proxy' is unknown gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '$HOME/.gnupg/secring.gpg' to gpg-agent gpg: migration succeeded gpg: key C863E74DBC9AFC44: public key "Manfred Lotz (CTAN)
" imported gpg: Total number processed: 1 gpg: imported: 1
Finally, verify the authenticity of the checksum files like this:
% gpg --verify texcol2020.iso.md5.asc gpg: keyserver option 'honor-http-proxy' is unknown gpg: assuming signed data in 'texcol2020.iso.md5' gpg: Signature made Sun 10 May 2020 01:45:13 AM MDT gpg: using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: Good signature from "Manfred Lotz (CTAN)
" [unknown] gpg: aka "Manfred Lotz (DANTE e.V.) " [unknown] gpg: aka "Manfred Lotz " [unknown] gpg: aka "Manfred Lotz " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5DBC 1706 83B9 32D8 8D4F AF5C C863 E74D BC9A FC44
Notice the two-line warning. It is typical of most checks of digitally signed files, and can generally be ignored. You can make it go away with a gpg --edit-key command where you can interactively certify that you believe that the public key actually belongs to its stated signer, but you should not do so unless you have independent means of such verification, such as by an in-person public key exchange.
A shorter way to add a public key to your keyring, without needing a Web browser, is to have gpg fetch it directly, with one of these commands:
% gpg --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: requesting key BC9AFC44 from hkps server keys.openpgp.org gpg: key BC9AFC44: "Manfred Lotz (CTAN)
" not changed gpg: Total number processed: 1 gpg: unchanged: 1 % gpg --keyserver hkps://keys.openpgp.org/ \ --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: requesting key BC9AFC44 from hkps server keys.openpgp.org gpg: key BC9AFC44: "Manfred Lotz (CTAN) " not changed gpg: Total number processed: 1 gpg: unchanged: 1
The first works if any of the keyservers listed in your $HOME/.gnupg/gpg.conf file can find the requested key. The second is what you must do when your default keyservers fail, whereupon you have to supply an alternate. Notice that the common http prefix on the URL must be changed to hkps!