Fri Apr 2 12:08:48 2021
Last updates: Fri Apr 2 19:19:06 2021 Mon Apr 5 06:09:34 2021 Wed Apr 7 07:47:33 2021 Tue Apr 13 06:58:31 2021 Tue Apr 20 15:29:00 2021
Before you undertake installation of a large software system like TEX Live, it is a good idea to make sure that your downloaded ISO image file is free of network and filesystem data corruption, and that the file is authentic. The first check is done by computing two independent checksums, and the second check by verifying digital signatures. The rest of this document shows how to do both simple tasks.
Most modern software distributions are checksummed and digitally signed, so the steps described here can be immediately useful for validation of other packages.
Operating-system-specific details of how to mount an ISO image, after you have validated it by the procedures on this Web page, are described here.
The 8.0GB ISO image, which can be burned onto high-density DVD media, is accompanied by two small files containing MD5 and SHA512 checksums. After downloading them, you can verify correctness of your local copy of the ISO image like this:
% md5sum -c texcol2021.iso.md5 texcol2021.iso: OK % sha512sum -c texcol2021.iso.sha512 texcol2021.iso: OK
Each of those commands may take minute or two to run, because they require reading the entire image file to recompute a checksum, before matching that value against the recorded checksum.
On Microsoft Windows 7, 8, and 10 in a command or PowerShell window, output looked like this:
c:> certutil -hashfile texcol2021.iso MD5 MD5 hash of file texcol2021.iso: da778196bd9cd78d95e18a4d0270505c CertUtil: -hashfile command completed successfully. c:> certutil -hashfile texcol2021.iso SHA512 SHA512 hash of texcol2021.iso: d4a597065932c83915c5c508262c83b682db3fe4fc43133fbc2c08b22cf6396ef85f2c452c46afe0a1027d1f0623dca62a0dada0c107a03b171667bd9b2ab539 CertUtil: -hashfile command completed successfully.
On Microsoft Windows in a PowerShell window, here are two other ways to get a checksum string:
c:> Get-FileHash -Algorithm sha512 texcol2021.iso | Format-List Algorithm : SHA512 Hash : D4A597065932C83915C5C508262C83B682DB3FE4FC43133FBC2C08B22CF6396EF85F2C452C46AFE0A1027D1F0623DCA62A0DADA0C107A03B171667BD9B2AB539 Path : C:\texcol2021.iso c:> (get-filehash -algorithm sha512 texcol2021.iso).hash D4A597065932C83915C5C508262C83B682DB3FE4FC43133FBC2C08B22CF6396EF85F2C452C46AFE0A1027D1F0623DCA62A0DADA0C107A03B171667BD9B2AB539
PowerShell commands are case insensitive; the first of those follows Microsoft documentation style, and the second may be easier to type.
The reason for two separate checksums, rather than just one, is that it has sometimes been shown to be possible to create a maliciously modified file with the same checksum as the original. Such an attack is unlikely, but it is effectively impossible with two or more independent robust checksum algorithms whose mathematics has been well studied by expert cryptographers from several countries.
The checksum files are digitally signed by their creator to ensure that they match the original versions. You can verify their authenticity like this:
% gpg --verify texcol2021.iso.md5.asc % gpg --verify texcol2021.iso.sha512.asc
Both commands are fast, because they only have to read a few hundred bytes. You can omit the --verify option, without ill effect.
If your system lacks the gpg command, try its successor, gpg2. Either or both versions 1 and 2 of the GnuPG software are almost universally available on modern computers, but command naming varies. Microsoft Windows systems do not have them installed by default, but you can easily do so from links at the GnuPG Web site. You then have a Windows command-line tool, gpg, plus a GUI tool, kleopatra, and the above gpg commands work as they do on Unix-family systems.
If the signature creator's public key is not yet in your personal keyring, then you get output similar to this for the first of those commands:
gpg: keyserver option 'honor-http-proxy' is unknown gpg: assuming signed data in 'texcol2021.iso.md5' gpg: Signature made Fri Apr 2 06:30:08 2021 MDT gpg: using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: Can't check signature: No public key
The last output line shows that signature verification was not possible, but the preceding line gives the key-ID 5DB...C44 that can be used to lookup the public key signature file in any of several key servers, including at least these:
If you trust this site, then you can also find a local copy of the public key here. However, using an independent source of a public key is always strongly recommended, because while an attack on one site is possible, successful attacks on distributed independent sites are highly improbable.
You can now add that newly downloaded public key file to your personal keyring like this:
% gpg --import 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44.asc gpg: keyserver option 'honor-http-proxy' is unknown gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '$HOME/.gnupg/secring.gpg' to gpg-agent gpg: migration succeeded gpg: key C863E74DBC9AFC44: public key "Manfred Lotz (CTAN) <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Finally, verify the authenticity of the checksum files like this:
% gpg --verify texcol2021.iso.md5.asc gpg: assuming signed data in 'texcol2021.iso.md5' gpg: Signature made Fri Apr 2 06:30:08 2021 MDT gpg: using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: Good signature from "Manfred Lotz (CTAN) <firstname.lastname@example.org>" [ultimate] gpg: aka "Manfred Lotz <email@example.com>" [ultimate] gpg: aka "Manfred Lotz <firstname.lastname@example.org>" [ultimate] gpg: aka "Manfred Lotz (DANTE e.V.) <email@example.com>" [ultimate] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5DBC 1706 83B9 32D8 8D4F AF5C C863 E74D BC9A FC44
Notice the two-line warning. It is typical of most checks of digitally signed files, and can generally be ignored. You can make it go away with a gpg --edit-key command where you can interactively certify that you believe that the public key actually belongs to its stated signer, but you should not do so unless you have independent means of such verification, such as by an in-person public key exchange.
A shorter way to add a public key to your keyring, without needing a Web browser, is to have gpg fetch it directly, with one of these commands:
% gpg --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: requesting key BC9AFC44 from hkps server keys.openpgp.org gpg: key BC9AFC44: "Manfred Lotz (CTAN) <firstname.lastname@example.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 % gpg --keyserver hkps://keys.openpgp.org/ \ --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44 gpg: requesting key BC9AFC44 from hkps server keys.openpgp.org gpg: key BC9AFC44: "Manfred Lotz (CTAN) <email@example.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
The first works if any of the keyservers listed in your $HOME/.gnupg/gpg.conf file can find the requested key. The second is what you must do when your default keyservers fail, whereupon you have to supply an alternate. Notice that the common http prefix on the URL must be changed to hkps!