How to verify ISO download

I've just started looking at OMV and this was also my first question. I was looking for a simple sha256 that I could get from the download page, and then check that against the actual ISO image I download. Sha2-256 is available on practically every machine I use, it's simple it would give enough reassurance and many distros do this:

Ubuntu:

https://ubuntu.com/download/de…0.04.3&architecture=amd64

AntiX:

https://antixlinux.com/download/

OpenSuSE:

https://get.opensuse.org/tumbleweed/?type=desktop#download

Mint:

https://linuxmint.com/edition.php?id=292

They all have the ISO on random mirror, but the checksums are all in a specific place (the source of the mirrors one would assume). I think the key thing here, is that if someone changes the checksums someone will probably notice. Because many people would be viewing them and testing them. Whereas it may be easier to change an ISO on one random mirror (updating accompanying checksum) out of a few dozen possibles and it wouldn't be spotted so easily. No point in storing the checksums on any mirrors if you do this, you actually want people to be constantly checking the *original* checksums against the ISOs they download wherever from.

I hope that the developers will consider providing this in the future, if for no other reason than to avoid questions like this :).

Thanks!

Zitat von ryecoaaron

Didn't we already kill this issue? If you are worried about the ISO and the checksum being altered, then just check the signature since that is on the official (not a mirror) download page - https://www.openmediavault.org/download.html

I'd find it useful to have the sha/md5 checksums. I'd verify the ISO in seconds and it would be a one-step process (a single command execution) instead of a key download and three commands. I went through exactly the same process as Jonathan L in trying to understand what I was supposed to do and I think the reason is because it's actually doing more than I need (I don't need/want to import anything). My feature request still stands and I believe it's a valid one unless you think all the other people providing this info are somehow wrong. If the developers won't do it it's fine, but if you never ask you don't get!

https://c.tenor.com/sJeCT3uwsBEAAAAM/horse-dead.gif

Zitat von ryecoaaron

So why not use the checksums? - https://sourceforge.net/projec…nmediavault/files/5.6.13/

Because they're on the mirrors.

Zitat von ryecoaaron

There is only one developer - votdev. He puts the ISOs and checksums on the sourceforge page. The "official" download page just links to the iso on the sourceforge page that I linked to above. I guess he could put the link for the checksum file on the download page but like many of the things you linked to that are doing it "right", the url checksum is the just the iso url + ".sha256"

In any of the links I gave the digest is distinct from the mirror location. Sure, you can have the digest on the mirror as well if you want but you need the single source of truth to do it the 'right' way IMHO.

Listen, I can understand if nobody wants to do this. It seems as though the main download page can stay static this way, so each release is less work, because it refers to the public key, instead of to the digest of the actual release. But perhaps the public key itself should also be there along with the fingerprint because you don't really want people importing the public key from what may be a compromised location, and then trusting that going forward. They should check the fingerprint before they do that, but again extra work where they may as well have just checked the digest in the first place. Of course this is all assuming sourceforge gets compromised which is unlikely.