Verifying Ubuntu downloads

After heartbleed, I've become more security-conscious/paranoid than usual. Here's a little snippet that compares a downloaded Ubuntu iso file to the MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than crossing fingers and hoping for the best on the unsecured http mirrors...

Gofer it
        smalltalkhubUser: 'SeanDeNigris' project: 'Superuser';
        configuration;
        loadStable.

"#inform: success or signal an error"
SuUbuntuHash verify: 'ubuntu-12.04.4-desktop-amd64.iso' asFileReference.

Sean P. DeNigris wrote

SuUbuntuHash verify: 'ubuntu-12.04.4-desktop-amd64.iso' asFileReference.

Here's a corresponding version for Debian. It's not complete yet. Assuming SHA512SUMS and SHA512SUMS.sign are in the same directory, it will verify SHA512SUMS, and then verify SHA512SUMS.sign against the key information at https://www.debian.org/CD/verify . That is the only secure channel that I could find to check against.

    SuDebianKey verify: 'SHA512SUMS' asFileReference.

After verifying SHA512SUMS, you would do the same thing that we did before for Ubuntu - find the hash for the iso file and make sure it matches.

On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote:
> After heartbleed, I've become more security-conscious/paranoid than usual.
> Here's a little snippet that compares a downloaded Ubuntu iso file to the
> MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than
> crossing fingers and hoping for the best on the unsecured http mirrors...


thanks Sean, I will use it in a few days when new Ubuntu is out.

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm."
Winston Churchill

Damien Cassou writes:

> On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote:
>> After heartbleed, I've become more security-conscious/paranoid than usual.
>> Here's a little snippet that compares a downloaded Ubuntu iso file to the
>> MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than
>> crossing fingers and hoping for the best on the unsecured http mirrors...
>
>
> thanks Sean, I will use it in a few days when new Ubuntu is out.

Me too :)

Nico



--
Nicolas Petton
http://nicolas-petton.fr

On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote:
> After heartbleed, I've become more security-conscious/paranoid than usual.
> Here's a little snippet that compares a downloaded Ubuntu iso file to the
> MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than
> crossing fingers and hoping for the best on the unsecured http mirrors...

Your code sends #newTempFile but that doesn't exist.

    FileReference newTempfile.

I tried in both Pharo 2 and 3.

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm."
Winston Churchill

On Apr 21, 2014, at 3:36 PM, Damien Cassou [via Smalltalk] <[hidden email]> wrote:
> Your code sends #newTempFile but that doesn't exist.
Arg… forgot to specify a dependent package. Uploading a new config now… should work…

On Tue, Apr 22, 2014 at 2:04 AM, Sean P. DeNigris <[hidden email]> wrote:
> Arg... forgot to specify a dependent package. Uploading a new config now...
> should work...


nope, still same problem

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm."
Winston Churchill

Damien Cassou wrote

nope, still same problem

Of course because I forgot to push the new config :/ Thanks for beta testing! Now, with Dale's advice on how to disable the package cache when simulating a load from the user's perspective before publishing a config (http://forum.world.st/Disabling-package-cache-tp4755672p4755675.html), I am pretty sure it will work. But I'm at work all night, so I will push to sthub tomorrow morning.

Sean P. DeNigris wrote

I will push to sthub tomorrow morning.

Done. You should now be able to insert and verify your own file into the following:

Gofer it
        smalltalkhubUser: 'SeanDeNigris' project: 'Superuser';
        configuration;
        loadStable.

"#inform: success or signal an error"
#SuUbuntuHash asClass verify: 'ubuntu-12.04.4-desktop-amd64.iso' asFileReference.

Damien Cassou wrote

nope, still same problem

Did it finally work or did you get tired of beta testing? ;)

On Thu, May 8, 2014 at 7:46 PM, Sean P. DeNigris <[hidden email]> wrote:
> Did it finally work or did you get tired of beta testing? ;)


ok, I've just tried. This instruction

    NBMacShell run: 'md5 "', self fullName, '" > "', tmpFile fullName, '"'.

 returns 32512 and does not write anything in tmpFile. I'm on Linux
and I'm not sure NBMacShell is supposed to work there.

Moreover, #secureUrl is sent on instance side but only implemented on
class side.

Best

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm."
Winston Churchill