Missing .iso.md5 file?
When I click on the link to download the .iso.md5 file on the download page of trisquel-netinst_11.0.1_amd64.iso I land on a '404 Not Found' page.
Go to https://trisquel.info/en/download, unfold 'More', select the radio button 'Netinstall', on the following page, next to 'MD5:' click on https://cdimage.trisquel.info/trisquel-images/trisquel-netinst_11.0.1_amd64.iso.md5.
Expected: https://cdimage.trisquel.info/trisquel-images/trisquel-netinst_11.0.1_amd64.iso.md5 should be downloaded.
Actual: a 404 page.
I experience the same behaviour when following similar paths for Trisquel, Triskel and Trisquel Mini.
Is this expected?
I cannot see the file netinst_11.0.1_amd64.iso.md5 on the page: https://cdimage.trisquel.info/trisquel-images/. I attached a screenshot.
I found this seemingly related issue: https://trisquel.info/en/issues/15393
| Attachment | Size |
|---|---|
| cdimage_trisquel.png | 105.85 KB |
I am trying to verify the integrity of the ISO image file using MD5, following part 2 from this wiki: https://trisquel.info/en/wiki/download-trisquel.
I verified the integrity of the ISO image using the .iso.sha256 file.
$ sha256sum -c trisquel-netinst_11.0.1_amd64.iso.sha256
trisquel-netinst_11.0.1_amd64.iso: OK
Shall I add instructions on how to verify an ISO image with sha256sum (as an alternative to md5) to the page https://trisquel.info/en/wiki/download-trisquel?
Yes, please. For Trisquel 11.0.1 (or later, I guess), sha512sum can be used as well to verify the integrity of the ISO. For the NetInstall, the resulting hash would be compared to https://cdimage.trisquel.info/trisquel-images/trisquel-netinst_11.0.1_amd64.iso.sha512
MD5 is fine to detect an accidental modification of the file. It is not fine to deal with an attacker who wants to make you download something else: https://www.kb.cert.org/vuls/id/836068
Yes, please. For Trisquel 11.0.1 (or later, I guess), sha512sum can be used as well to verify the integrity of the ISO. For the NetInstall, the resulting hash would be compared to https://cdimage.trisquel.info/trisquel-images/trisquel-netinst_11.0.1_amd64.iso.sha512
I added a section with instructions on how to verify the integrity of the ISO file using sha512sum. I placed it before the section on verifying the ISO file with md5sum, since I understand that MD5 files aren't available for releases 11.0.1. https://trisquel.info/en/wiki/download-trisquel
The page had quite some problems. Not because of what you wrote (please keep on contributing!), but because of outdated information. It particular, it was:
- still referring to 32-bit architectures that Trisquel 11 does not support (and Trisquel 10 will reach its end of life in April);
- not mentioning the choice of a mirror and the possible preference for a torrent file;
- not instructing the easiest way to download the files for every verification;
- referring to MD5 (which should not be used, and that is not an option to verify the integrity of Trisquel's latest ISOs, as we discussed above) and to SHA512 (which is fine... but not proposed as a link right after asking for the ISO);
- confusing the integrity of the ISO and the authentication of the Trisquel project as its author;
- more generally not properly explaining what is done and how to act if a verification fails;
- using a example rather than * in the commands;
- generally too verbose (what may be scary to newcomers).
I ended up rewriting it entirely... :-)
I have no access to Windows, to check the instructions for that system: I kept the ones that were written (but used *). There were (and still is) no instruction to check the integrity of the ISO on Windows.
Also, I am not an expert in security: if you are, please review what I wrote.
Thanks. I read through I have nothing to add. Agreed on the verbose. It reads easier. The explanation about why verify, and what authentication is, is nice to have. (I have no access to Windows either.)
I actually did not know a user can "open a terminal in a folder". I don't know whether it is worth adding 'right click inside the folder (but not on a file), and then select 'Open in Terminal' in parenthesis or somewhere, or if that is too much info.
whats better sha256, sha512 or sha3?