Index of /pub/texlive-utah-2021/Images

[ICO]NameLast modifiedSize

[PARENTDIR]Parent Directory  -
[TXT]5DBC170683B932D88D4FAF5CC863E74DBC9AFC44.asc2020-05-15 11:51 5.6K
[DIR]20210402/2021-04-04 09:24 -
[DIR]20210404/2021-04-07 07:43 -
[TXT]README.html2021-04-20 15:29 13K
[TXT]iso-mounting.css2021-04-06 08:48 325
[TXT]iso-mounting.html2021-04-06 11:04 14K
[   ]texcol2021.iso2021-04-07 04:12 7.9G
[   ]texcol2021.iso.md52021-04-07 04:13 49
[TXT]texcol2021.iso.md5.asc2021-04-07 04:15 833
[   ]texcol2021.iso.sha5122021-04-07 04:13 145
[TXT]texcol2021.iso.sha512.asc2021-04-07 04:15 833

TEX Live 2021 ISO Image Verification

Original version: Fri Apr 2 12:08:48 2021
Last updates: Fri Apr 2 19:19:06 2021    Mon Apr 5 06:09:34 2021    Wed Apr 7 07:47:33 2021    Tue Apr 13 06:58:31 2021    Tue Apr 20 15:29:00 2021

Before you undertake installation of a large software system like TEX Live, it is a good idea to make sure that your downloaded ISO image file is free of network and filesystem data corruption, and that the file is authentic. The first check is done by computing two independent checksums, and the second check by verifying digital signatures. The rest of this document shows how to do both simple tasks.

Most modern software distributions are checksummed and digitally signed, so the steps described here can be immediately useful for validation of other packages.

Operating-system-specific details of how to mount an ISO image, after you have validated it by the procedures on this Web page, are described here.

Checksum verification

The 8.0GB ISO image, which can be burned onto high-density DVD media, is accompanied by two small files containing MD5 and SHA512 checksums. After downloading them, you can verify correctness of your local copy of the ISO image like this:

    % md5sum    -c texcol2021.iso.md5
    texcol2021.iso: OK

    % sha512sum -c texcol2021.iso.sha512
    texcol2021.iso: OK

Each of those commands may take minute or two to run, because they require reading the entire image file to recompute a checksum, before matching that value against the recorded checksum.

On Microsoft Windows 7, 8, and 10 in a command or PowerShell window, output looked like this:

    c:> certutil -hashfile texcol2021.iso MD5
    MD5 hash of file texcol2021.iso:
    CertUtil: -hashfile command completed successfully.
    c:> certutil -hashfile texcol2021.iso SHA512
    SHA512 hash of texcol2021.iso:
    CertUtil: -hashfile command completed successfully.

On Microsoft Windows in a PowerShell window, here are two other ways to get a checksum string:

    c:> Get-FileHash -Algorithm sha512 texcol2021.iso | Format-List
    Algorithm : SHA512
    Hash      : D4A597065932C83915C5C508262C83B682DB3FE4FC43133FBC2C08B22CF6396EF85F2C452C46AFE0A1027D1F0623DCA62A0DADA0C107A03B171667BD9B2AB539
    Path      : C:\texcol2021.iso
    c:> (get-filehash -algorithm sha512 texcol2021.iso).hash

PowerShell commands are case insensitive; the first of those follows Microsoft documentation style, and the second may be easier to type.

The reason for two separate checksums, rather than just one, is that it has sometimes been shown to be possible to create a maliciously modified file with the same checksum as the original. Such an attack is unlikely, but it is effectively impossible with two or more independent robust checksum algorithms whose mathematics has been well studied by expert cryptographers from several countries.

Digital signature authentication

The checksum files are digitally signed by their creator to ensure that they match the original versions. You can verify their authenticity like this:

    % gpg --verify texcol2021.iso.md5.asc

    % gpg --verify texcol2021.iso.sha512.asc

Both commands are fast, because they only have to read a few hundred bytes. You can omit the --verify option, without ill effect.

If your system lacks the gpg command, try its successor, gpg2. Either or both versions 1 and 2 of the GnuPG software are almost universally available on modern computers, but command naming varies. Microsoft Windows systems do not have them installed by default, but you can easily do so from links at the GnuPG Web site. You then have a Windows command-line tool, gpg, plus a GUI tool, kleopatra, and the above gpg commands work as they do on Unix-family systems.

If the signature creator's public key is not yet in your personal keyring, then you get output similar to this for the first of those commands:

    gpg: keyserver option 'honor-http-proxy' is unknown
    gpg: assuming signed data in 'texcol2021.iso.md5'
    gpg: Signature made Fri Apr  2 06:30:08 2021 MDT
    gpg:                using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: Can't check signature: No public key

The last output line shows that signature verification was not possible, but the preceding line gives the key-ID 5DB...C44 that can be used to lookup the public key signature file in any of several key servers, including at least these:

If you trust this site, then you can also find a local copy of the public key here. However, using an independent source of a public key is always strongly recommended, because while an attack on one site is possible, successful attacks on distributed independent sites are highly improbable.

You can now add that newly downloaded public key file to your personal keyring like this:

    % gpg --import 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44.asc
    gpg: keyserver option 'honor-http-proxy' is unknown
    gpg: starting migration from earlier GnuPG versions
    gpg: porting secret keys from '$HOME/.gnupg/secring.gpg' to gpg-agent
    gpg: migration succeeded
    gpg: key C863E74DBC9AFC44: public key "Manfred Lotz (CTAN) <>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1

Finally, verify the authenticity of the checksum files like this:

    % gpg --verify texcol2021.iso.md5.asc
    gpg: assuming signed data in 'texcol2021.iso.md5'
    gpg: Signature made Fri Apr  2 06:30:08 2021 MDT
    gpg:                using RSA key 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: Good signature from "Manfred Lotz (CTAN) <>" [ultimate]
    gpg:                 aka "Manfred Lotz <>" [ultimate]
    gpg:                 aka "Manfred Lotz <>" [ultimate]
    gpg:                 aka "Manfred Lotz (DANTE e.V.) <>" [ultimate]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 5DBC 1706 83B9 32D8 8D4F  AF5C C863 E74D BC9A FC44

Notice the two-line warning. It is typical of most checks of digitally signed files, and can generally be ignored. You can make it go away with a gpg --edit-key command where you can interactively certify that you believe that the public key actually belongs to its stated signer, but you should not do so unless you have independent means of such verification, such as by an in-person public key exchange.

Easy public key retrievals

A shorter way to add a public key to your keyring, without needing a Web browser, is to have gpg fetch it directly, with one of these commands:

    % gpg --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: requesting key BC9AFC44 from hkps server
    gpg: key BC9AFC44: "Manfred Lotz (CTAN) <>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1

    % gpg --keyserver hkps:// \
          --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: requesting key BC9AFC44 from hkps server
    gpg: key BC9AFC44: "Manfred Lotz (CTAN) <>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1

The first works if any of the keyservers listed in your $HOME/.gnupg/gpg.conf file can find the requested key. The second is what you must do when your default keyservers fail, whereupon you have to supply an alternate. Notice that the common http prefix on the URL must be changed to hkps!