Index of /pub/texlive-utah/Images

[ICO]NameLast modifiedSize

[PARENTDIR]Parent Directory  -
[TXT]0xBC9AFC44.asc2023-03-23 13:30 14K
[TXT]README.html2024-03-14 16:34 13K
[TXT]README.md2024-03-13 10:30 1.2K
[DIR]test/2024-03-13 10:41 -
[   ]texlive.iso2024-03-11 19:22 5.6G
[   ]texlive2024-20240312.iso2024-03-11 19:22 5.6G
[   ]texlive2024-20240312.iso.md52024-03-11 19:22 59
[   ]texlive2024-20240312.iso.sha5122024-03-11 19:23 155
[TXT]texlive2024-20240312.iso.sha512.asc2024-03-11 19:23 488
[   ]texlive2024.iso2024-03-11 19:22 5.6G
[   ]texlive2024.iso.md52024-03-11 19:23 50
[   ]texlive2024.iso.sha5122024-03-11 19:23 146
[TXT]texlive2024.iso.sha512.asc2024-03-11 19:23 488

TEX Live 2024 ISO Image Verification

Original version: Thu Mar 14 15:41:26 2024
Last updates: Thu Mar 14 16:34:38 2024

Before you undertake installation of a large software system like TEX Live, it is a good idea to make sure that your downloaded ISO image file is free of network and filesystem data corruption, and that the file is authentic. The first check is done by computing two independent checksums, and the second check by verifying digital signatures. The rest of this document shows how to do both simple tasks.

Most modern software distributions are checksummed and digitally signed, so the steps described here can be immediately useful for validation of other packages.

Operating-system-specific details of how to mount an ISO image, after you have validated it by the procedures on this Web page, are described here.

Checksum verification

NB: The checksums illustrated here may not correspond to what you see on yout system, because the texlive2024.* files are sometimes updated after their first release, and this Web site might not yet have been updated to match. All that matters is that the signatures and checksums are consistent. The timestamps for those files are 11-Mar-2024 at 19:22, or later.

The 7.9GB ISO image, which can be burned onto high-density DVD media, or more likely, simply mounted as a local filesystem, is accompanied by two small files containing MD5 and SHA512 checksums. After downloading them, you can verify correctness of your local copy of the ISO image like this:

    % md5sum    -c texlive2024.iso.md5
    texlive2024.iso: OK

    % sha512sum -c texlive2024.iso.sha512
    texlive2024.iso: OK

Each of those commands may take minute or two to run, because they require reading the entire image file to recompute a checksum, before matching that value against the recorded checksum.

On Microsoft Windows 7, 8, and 10 in a command or PowerShell window, output looked like this:

    c:> certutil -hashfile texlive2024.iso md5
    MD5 hash of file texlive2024.iso:
    CertUtil: -hashfile command completed successfully.
    c:> certutil -hashfile texlive2024.iso sha512
    SHA512 hash of texlive2024.iso:
    CertUtil: -hashfile command completed successfully.

On Microsoft Windows in a PowerShell window, here are two other ways to get a checksum string:

    c:> Get-FileHash -Algorithm sha512 texlive2024.iso | Format-List
    Algorithm : SHA512
    Hash      : 6E3C3470EE5CA903BB5C31F436B018CD2CFBC526C4CA563CCB15959802F8B1A6C0475C58566C1AFABA19DC780FD192AC5511818EF5A89828D935C66C62CFCB2A
    Path      : C:\texlive2024.iso
    c:> (get-filehash -algorithm sha512 texlive2024.iso).hash

PowerShell commands are case insensitive; the first of those follows Microsoft documentation style, and the second may be easier to type.

The reason for two separate checksums, rather than just one, is that it has sometimes been shown to be possible to create a maliciously modified file with the same checksum as the original. Such an attack is unlikely, but it is effectively impossible with two or more independent robust checksum algorithms whose mathematics has been well studied by expert cryptographers from several countries.

Digital signature authentication

The checksum files are digitally signed by their creator to ensure that they match the original versions. You can verify their authenticity like this:

    % gpg --verify texlive2024.iso.md5.asc

    % gpg --verify texlive2024.iso.sha512.asc

Both commands are fast, because they only have to read a few hundred bytes. You can omit the --verify option, without ill effect.

If your system lacks the gpg command, try its successor, gpg2. Either or both versions 1 and 2 of the GnuPG software are almost universally available on modern computers, but command naming varies. Microsoft Windows systems do not have them installed by default, but you can easily do so from links at the GnuPG download site. You then have a Windows command-line tool, gpg, plus a GUI tool, kleopatra, and the above gpg commands work as they do on Unix-family systems.

If the signature creator's public key is not yet in your personal keyring, then you get output similar to this for the first of those commands:

    gpg: Signature made Thu Mar 23 13:29:39 2024 MDT using RSA key ID BC9AFC44
    gpg: Can't check signature: No public key

The last output line shows that signature verification was not possible, but the preceding line gives the key-ID BC9AFC44 that can be used to lookup the public key signature file in any of several key servers, including at least these:

If you trust this site, then you can also find a local copy of the public key here. However, using an independent source of a public key is always strongly recommended, because while an attack on one site is possible, successful attacks on distributed independent sites are highly improbable.

You can now add that newly downloaded public key file to your personal keyring like this:

    % gpg --import 0xBC9AFC44.asc
    gpg: keyring `/u/guest/g-bash/.gnupg/secring.gpg' created
    gpg: /u/guest/g-bash/.gnupg/trustdb.gpg: trustdb created
    gpg: key BC9AFC44: public key "Manfred Lotz (CTAN) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

Finally, verify the authenticity of the checksum files like this:

    % gpg --verify texlive2024.iso.md5.asc
    gpg: Signature made Tue Mar 21 22:06:55 2024 MDT using RSA key ID BC9AFC44
    gpg: Good signature from "Manfred Lotz (DANTE e.V.) "
    gpg:                 aka "Manfred Lotz "
    gpg:                 aka "Manfred Lotz "
    gpg:                 aka "Manfred Lotz (CTAN) "

Easy public key retrievals

A shorter way to add a public key to your keyring, without needing a Web browser, is to have gpg fetch it directly, with one of these commands:

    % gpg --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: keyring `/u/guest/g-bash/.gnupg/pubring.gpg' created
    gpg: requesting key BC9AFC44 from hkps server
    gpg: key BC9AFC44: public key "Manfred Lotz (DANTE e.V.) <>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

    % gpg --keyserver hkps:// \
          --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: keyring `/u/guest/g-bash/.gnupg/pubring.gpg' created
    gpg: requesting key BC9AFC44 from hkps server
    gpg: key BC9AFC44: public key "Manfred Lotz (DANTE e.V.) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

The first works if any of the keyservers listed in your $HOME/.gnupg/gpg.conf file can find the requested key. The second is what you must do when your default keyservers fail, whereupon you have to supply an alternate. Notice that the common http prefix on the URL must be changed to hkps!