For me, it's not enough to verify the integrity of an ISO – I also have to verify its authenticity (or at least verify the checksum file) with GPG. I don't know why, but just need to see that "Good signature" message before I feel safe installing Linux.

I notice, though, that the download pages of some prominent distros (Pop_OS!, openSUSE, etc) just give you a checksum, probably because they feel that anything else is unnecessary. This makes me shy away from installing them, which is a shame because I'd like to give some of those distros a try on bare metal.

Am I being paranoid when it comes to installing Linux?

  • TheEntity@kbin.social
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    1 year ago

    From where would you get the public GPG to verify the signature with? How do you know this specific key is the one to trust? Like @tony above said, the best verification when you have no pre-existing trusted channel is the SSL certificate of the website you get the ISO from.