I am downloading Ubuntu Linux, and would like to make sure that my download has

Question

I am downloading Ubuntu Linux, and would like to make sure that my download has not been tampered with.

Ubuntu has a GPG key, which I could use to make sure that the download is valid -- but how do I validate the key? Unfortunately, the key seems to only be available via hkp -- which is not a secure protocol!

The GPG key is itself signed -- but how do I check those keys?

The Ubuntu instructions for verifying the download are not helpful unless the public key to verify the signatures is available securely. GPG web of trust is not helpful, because mine is currently empty and I don't know where to start building it.

Explanation / Answer

Using a secure connection will not help in validating the key either. How would you verify the identity of the server you are connecting to? E.g. I can use hkps to connect to a rogue server and securely retrieve a fake public key.

Instead PGP works via a "Web of Trust" infrastructure whereby you trust a key because it is signed by someone whom you trust.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.