What's the point of verifying downloads against the sha256 hash?

nerdfever.com

2/6/24, 7:36 PM

Just out of curiosity - Ubuntu and other Linux distributions tell users to verify downloaded .ISOs against the SHA256 hash of the .ISO.

1 - Since the SHA256 hash value is hosted on the same website as the .ISO file, isn't it equally vulnerable to an attacker who wants to distribute hacked images? If an attacker manages to substitute his own hacked .ISO file, why can't he also substitute the SHA256 hash with one that matches his hacked .ISO?

2 - Don't the standard file transfer protocols (TCP, SFTP, https, BitTorrent...) have sufficiently long CRCs to practically prevent bit errors creeping unnoticed into downloads? If not, why not?

134

1 + 2

security

iso

hash

sha256

ubfan1

2/6/24, 8:51 PM

As you have noted, the hashes should be from the original site, not the site (mirror?) you downloaded from. Hashes are small, so nearness/bandwidth doesn't matter as much.

guiverc

2/6/24, 9:35 PM

Not all downloads occur over the protocols you mention, ie. HTTP is still used by at least `zsync` which is *loved* by those of us you are downloading many large files every day (ie. *daily* images)

Score:4

Ubuntu

user535733

2/6/24, 11:34 PM

Many common questions here at AskUbuntu are from users encountering mysterious problems that --after some troubleshooting-- turn out to be apparently caused by corrupted or incomplete installer downloads or mis-made LiveUSBs.

When those users carefully re-download and re-make the LiveUSB properly, the mysterious problems vanish and the system behaves normally.

Checking the hash is one easy troubleshooting tool to confirm that the installer download is correct. So you're not wasting effort troubleshooting the wrong step in the process. There are different troubleshooting tools and techniques for different steps.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What's the point of verifying downloads against the sha256 hash?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.