TEX Live 2022 ISO Image Verification

Original version: Fri Apr 2 12:08:48 2021
Last updates: Fri Apr 2 19:19:06 2021    Mon Apr 5 06:09:34 2021    Wed Apr 7 07:47:33 2021    Tue Apr 13 06:58:31 2021    Tue Apr 20 15:29:00 2021    Thu Jan 6 10:44:34 2022    Sat Apr 2 08:24:16 2022    Tue Apr 5 08:27:53 2022

Before you undertake installation of a large software system like TEX Live, it is a good idea to make sure that your downloaded ISO image file is free of network and filesystem data corruption, and that the file is authentic. The first check is done by computing two independent checksums, and the second check by verifying digital signatures. The rest of this document shows how to do both simple tasks.

Most modern software distributions are checksummed and digitally signed, so the steps described here can be immediately useful for validation of other packages.

Operating-system-specific details of how to mount an ISO image, after you have validated it by the procedures on this Web page, are described here.


Checksum verification

The 7.9GB ISO image, which can be burned onto high-density DVD media, or more likely, simply mounted as a local filesystem, is accompanied by two small files containing MD5 and SHA512 checksums. After downloading them, you can verify correctness of your local copy of the ISO image like this:

    % md5sum    -c texcol2022.iso.md5
    texcol2022.iso: OK

    % sha512sum -c texcol2022.iso.sha512
    texcol2022.iso: OK

Each of those commands may take minute or two to run, because they require reading the entire image file to recompute a checksum, before matching that value against the recorded checksum.

On Microsoft Windows 7, 8, and 10 in a command or PowerShell window, output looked like this:

    c:> certutil -hashfile texcol2022.iso MD5
    MD5 hash of file texcol2022.iso:
    e8fcc7dbb7e2afc1d4b9ff0831368d23
    CertUtil: -hashfile command completed successfully.
    
    c:> certutil -hashfile texcol2022.iso SHA512
    SHA512 hash of texcol2022.iso:
    0a0b33869f866ac965360a1f6dd1b1d55407e0dc11f028637f4ab4064d90548263946cb9586b127e03f92bbda4be5b699713962604e0bee6ffa358cadfbdb6c8
    CertUtil: -hashfile command completed successfully.

On Microsoft Windows in a PowerShell window, here are two other ways to get a checksum string:

    c:> Get-FileHash -Algorithm sha512 texcol2022.iso | Format-List
    Algorithm : SHA512
    Hash      : 0A0B33869F866AC965360A1F6DD1B1D55407E0DC11F028637F4AB4064D90548263946CB9586B127E03F92BBDA4BE5B699713962604E0BEE6FFA358CADFBDB6C8
    Path      : C:\texcol2022.iso
    
    c:> (get-filehash -algorithm sha512 texcol2022.iso).hash
    0A0B33869F866AC965360A1F6DD1B1D55407E0DC11F028637F4AB4064D90548263946CB9586B127E03F92BBDA4BE5B699713962604E0BEE6FFA358CADFBDB6C8

PowerShell commands are case insensitive; the first of those follows Microsoft documentation style, and the second may be easier to type.

The reason for two separate checksums, rather than just one, is that it has sometimes been shown to be possible to create a maliciously modified file with the same checksum as the original. Such an attack is unlikely, but it is effectively impossible with two or more independent robust checksum algorithms whose mathematics has been well studied by expert cryptographers from several countries.


Digital signature authentication

The checksum files are digitally signed by their creator to ensure that they match the original versions. You can verify their authenticity like this:

    % gpg --verify texcol2022.iso.md5.asc

    % gpg --verify texcol2022.iso.sha512.asc

Both commands are fast, because they only have to read a few hundred bytes. You can omit the --verify option, without ill effect.

If your system lacks the gpg command, try its successor, gpg2. Either or both versions 1 and 2 of the GnuPG software are almost universally available on modern computers, but command naming varies. Microsoft Windows systems do not have them installed by default, but you can easily do so from links at the GnuPG download site. You then have a Windows command-line tool, gpg, plus a GUI tool, kleopatra, and the above gpg commands work as they do on Unix-family systems.

If the signature creator's public key is not yet in your personal keyring, then you get output similar to this for the first of those commands:

    gpg: Signature made Mon 04 Apr 2022 12:18:25 PM MDT using RSA key ID BC9AFC44
    gpg: Can't check signature: No public key

The last output line shows that signature verification was not possible, but the preceding line gives the key-ID BC9AFC44 that can be used to lookup the public key signature file in any of several key servers, including at least these:

If you trust this site, then you can also find a local copy of the public key here. However, using an independent source of a public key is always strongly recommended, because while an attack on one site is possible, successful attacks on distributed independent sites are highly improbable.

You can now add that newly downloaded public key file to your personal keyring like this:

    % gpg --import 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44.asc
    gpg: keyring `/u/guest/g-bash/.gnupg/secring.gpg' created
    gpg: /u/guest/g-bash/.gnupg/trustdb.gpg: trustdb created
    gpg: key BC9AFC44: public key "Manfred Lotz (CTAN) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

Finally, verify the authenticity of the checksum files like this:

    % gpg --verify texcol2022.iso.md5.asc
    gpg: Signature made Mon 04 Apr 2022 12:18:25 PM MDT using RSA key ID BC9AFC44
    gpg: Good signature from "Manfred Lotz (CTAN) "
    gpg:                 aka "Manfred Lotz (DANTE e.V.) "
    gpg:                 aka "Manfred Lotz "
    gpg:                 aka "Manfred Lotz "
    gpg: Note: This key has expired!
    Primary key fingerprint: 5DBC 1706 83B9 32D8 8D4F  AF5C C863 E74D BC9A FC44

Easy public key retrievals

A shorter way to add a public key to your keyring, without needing a Web browser, is to have gpg fetch it directly, with one of these commands:

    % gpg --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: keyring `/u/guest/g-bash/.gnupg/pubring.gpg' created
    gpg: requesting key BC9AFC44 from hkps server pgp.mit.edu
    gpg: key BC9AFC44: public key "Manfred Lotz (DANTE e.V.) <manfred@dante.de>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

    % gpg --keyserver hkps://keys.openpgp.org/ \
          --recv-keys 5DBC170683B932D88D4FAF5CC863E74DBC9AFC44
    gpg: keyring `/u/guest/g-bash/.gnupg/pubring.gpg' created
    gpg: requesting key BC9AFC44 from hkps server keys.openpgp.org
    gpg: key BC9AFC44: public key "Manfred Lotz (DANTE e.V.) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

The first works if any of the keyservers listed in your $HOME/.gnupg/gpg.conf file can find the requested key. The second is what you must do when your default keyservers fail, whereupon you have to supply an alternate. Notice that the common http prefix on the URL must be changed to hkps!