Are there signatures or checksums for the installer programs available?



  • And if they are published, where can I find them ?
    Probably a boring question, but I haven't found anything about that topic in the forum.
    Thank you for teaching me.



  • @jobus yes, you can find them in http://system-image.ubports.com/ if you know where to look 😉

    Edit: oh, sorry, are you asking about the ubports-installer checksums?



  • @jobus said in Are there signatures or checksums for the installer programs available?:

    And if they are published, where can I find them ?
    Probably a boring question, but I haven't found anything about that topic in the forum.
    Thank you for teaching me.

    +1
    I support this question. Software to be installed should have md5 or sha256 hashes to verify its integrity.



  • @advocatux Thank you for answer ! Yes, I asked for the installer software.
    I followed your link and I have seen, there are a lot of different packages more. I guessed, the image would come with the installer, but now I think, the installer is a pure installer and collects the packages to install.
    I don't anything about the installation procedure:
    My first assumption: I have to check only the integrity/authenticity of the installer and the installer does guarantee the integrity/authenticity of the installed packages.
    My second assumption: The installer does not guarantee the integrity/authenticity of the installed packages. So I would have to know which packages the installer installs and to do that job manually.



  • @jobus you can study which steps does the installer exactly by going to https://devices.ubuntu-touch.io/ choose a device, and then click on "manual installation instructions".



  • @advocatux Thank you very much, that is what I looked for. I haven't found it by myself, thank you.



  • @jobus you're welcome. Glad to hear that 🙂



  • @advocatux
    I have one more question to the manual download procedure of an ubuntuphone image.

    The download script does already check the integrity of the downloaded files, that's fine.
    But I would like to check the authenticity of the download and I fail at the end
    with the last key id.

    For the most files signature files are provided. They were generated by the pgp key of
    UBports System Image Image Signing key system-image@ubports.com

    This first key (inside a keyring) comes with a signature generated by the pgp key of
    1 Image Master key me@mariogrip.com

    This second key (inside a keyring) is signed by the pgp key belonging
    to the key id
    1A30C7D6585E9E81

    I cannot find this key; I suppose it is published in a similar manner
    like e.g. debian distro maintainers proceed.

    And finally, for http://cdimage.ubports.com/devices/recovery-vegetahd.img
    i could not find any pgp signature file.

    Perhaps, you could give me a hint again?


  • Community

    @jobus

    The checksums for the partition images are served by api.ubports.com. This sha256 hash is checked both in the manual install instructions and in the installer. You can find the json for your device here: https://api.ubports.com/v1/devices/vegetahd

    I will add checksums for the executables and installation packages of the installer to the releases page, doing that automatically in ci has been on my list for a while. Wasn't my highest priority so far, because github defaults to https, so the only remaining attack vector i can see would be to switch the files hosted there, which is not very likely to happen unless we have a mole, the account of someone with access to the org gets pwned or someone hacks Microsoft. In all cases, there'd be more efficient ways to do much more severe damage, but since this has been requested some times now, who am i to stand in the way of progress. 🙂


Log in to reply