Is there any way to verify a Ubuntu iso or hashsum via HTTPS? [duplicate]

security

The hashes and iso's are only provided via http, so md5sum-checking is insufficient. As @Doug Smythies explained in a comment on a deleted answer:

We (the Ubuntu Doc team) no longer maintain the https page, because it is pretty much impossible to do so. The people with the ability to do an https page won't.

However, Ubuntu's gpg fingerprints are available via https here.

TLDR

  1. Download MD5SUMS and MD5SUMS.gpg for the relevant release.
  2. Verify the MD5SUMS with the MD5SUMS.gpg and check that the fingerprint is the same as on this web page.
  3. Verify the iso with the MD5SUMS.

Whilst Canonical isn't providing HTTPS some of the officially recognized 3rd-party mirrors do, so that may be a viable alternative. Even without HTTPS you can always compare the checksums provided by several different mirrors (that you recognize) to help decrease the odds of a MITM (Man In The Middle).

List of Official 3rd-Party Mirrors CAPABLE of HTTPS:

(remove the - from h-ttps, only put there because too many urls)

  • https://free.nchc.org.tw/ubuntu-cd/
  • https://ftp.fau.de/ubuntu-releases/
  • https://ftp.heanet.ie/pub/ubuntu-releases/
  • https://ftp.lysator.liu.se/ubuntu-releases/
  • https://ftp.rnl.tecnico.ulisboa.pt/pub/ubuntu/releases/
  • https://ftp.sjtu.edu.cn/ubuntu-cd/
  • https://ftp-stud.hs-esslingen.de/pub/Mirrors/releases.ubuntu.com/
  • https://ftp.ucsb.edu/pub/mirrors/linux/ubuntu/
  • https://ftp.yzu.edu.tw/Linux/ubuntu-releases/
  • https://lug.mtu.edu/ubuntu-iso/
  • https://mirror.aarnet.edu.au/pub/ubuntu/releases/
  • https://mirror.beget.ru/ubuntu-releases/
  • https://mirror.cedia.org.ec/ubuntu-releases/
  • https://mirror.csclub.uwaterloo.ca/ubuntu-releases/
  • https://mirror.hmc.edu/ubuntu-releases/
  • https://mirror.imt-systems.com/ubuntu/
  • https://mirror.kku.ac.th/ubuntu-releases/
  • https://mirror.one.com/ubuntu-cd/
  • https://mirror.picosecond.org/ubuntu-releases/
  • https://mirrors.bloomu.edu/ubuntu-releases/
  • https://mirrors.cat.pdx.edu/ubuntu-releases/
  • https://mirrors.koehn.com/ubuntureleases/
  • https://mirrors.ocf.berkeley.edu/ubuntu-releases/
  • https://mirror.stjschools.org/public/ubuntu-release/
  • https://mirrors.tripadvisor.com/releases/
  • https://mirrors.tuna.tsinghua.edu.cn/ubuntu-releases/
  • https://mirrors.ustc.edu.cn/ubuntu-releases/
  • https://mirrors.xmission.com/ubuntu-cd/
  • https://mirror.umd.edu/ubuntu-iso/
  • https://mirror.vorboss.net/ubuntu-releases/
  • https://mirror.yandex.ru/ubuntu-releases/
  • https://ubuntu.koyanet.lv/releases/
  • https://ubuntu.localmsp.org/ubuntu-releases/
  • https://ubuntu.tuxuri.com/releases/
  • https://ubuntu.uni-sofia.bg/releases/
  • https://ubuntu.vxroutes.com/
  • https://www.mirrorservice.org/sites/releases.ubuntu.com/

In future, for those whom don't fancy checking mirrors by hand for HTTPS, you can use Https Finder, which was the tool used to find these mirrors.

Related

does rolling back the kernel in Ubuntu compromise security
Error with PECL command in PHP7
Cloning an SD card to another in Ubuntu using a single SD card reader
How to disable the shortcut for New Profile in command line (Terminal)
How do I upgrade to the release version of 16.04 if I am running Beta? [duplicate]
Implementing a naming standard for keys, indexes, constraints
Konsole hide tab bar
Prompt overwrite file in echo
Ubuntu 16.04 Core OS snap won't remove
Start task failed in Azure batch when trying to install python
How can I set gnome-terminal's X and Y startup position?
Screen recording software