Offer to download checksum & detached GPG signature for Pop!_OS ISO's
taivlam opened this issue · 0 comments
Would it be possible to show SHA256 checksum and detached GPG signature files on the website for Pop!_OS ISO's?
From Reddit, in Source 1, the SHA256 checksums are mentioned to be saved in a separately generated SHA256SUMS file; while in Source 2 there is mention of additional safety in using GPG verification:
Using this, it's possible to deduce the SHA256SUMS and detached GPG signature SHA256SUMS.gpg exist in the same directory of any chosen ISO on the Pop!_OS site, as shown in this gist that goes through how to check the integrity and authenticity any downloaded Pop!_OS ISO.
This would be in line with Linux Mint's doc page for pre-install checks on downloaded ISO's.
So, the infrastructure for GPG verification exists, though it would be a bit easier if the detached checksums and GPG signatures were included with the Pop!_OS downloads for those who know &/or are able to use GPG verification. I'm aware this doesn't solve all security issues and is advanced for most Pop!_OS users. If there is a concern that this would also need in the installation documentation, I'd be willing to propose simply worded documentation.