[texhax] TeXLive installation: Integrity Checks, Cryptographic Signatures?
Moritz Schulte
Moritz.Schulte at ruhr-uni-bochum.de
Wed Aug 19 16:01:03 CEST 2015
Dear TUG,
since I am having trouble with the TeXLive version packaged for my OS
Distribution, I
would like to install a recent 'vanilla' TeXLive version from
https://www.tug.org/texlive/.
I was surprised to realize that
https://www.tug.org/texlive/acquire-netinstall.html does not
promote any (easily accessible) way for doing integrity checks for the
installer. After some
digging I figured out that one can download the sha256 checksums from
https://www.ctan.org/tex-archive/systems/texlive/tlnet. Is there any
particular reason for
not making these checksums easily findable? If not, I would like to make
the suggestion of
adding these checksums to the primary download page for the TeXLive
installers.
(Of course, checksums published on a webpage could potentially also be
forged, but without
some kind of trust link this problem is difficult to solve. Hence,
spreading the checksums
is at least something...)
My second question is about the tlmgr program. When I install packages
using tlmgr, does it
do integrity checks, e.g. by comparing checksums or by verifying
cryptographic signatures?
Maybe I have overlooked something, but so far I couldn't find anything
in the manual of
tlmgr.
I have a bad feeling when executing code on my system without any way of
making sure that
the code is in fact the code it is supposed to be. It would be helpful
if the manual would
mention this.
Thank you very much,
Moritz Schulte
More information about the texhax
mailing list