SHA256SUM of Torrent Download does NOT match listed SHA256SUM

Referring to the actual ISO image, not the torrent file. I got 2 very different SHA SUMs. Can someone else check this? Could be either user error or MITM attack. OR, worst case, the torrent file is compromised.

I have not tested this on other computers/ other networks. Someone needs to check this themselves.

NOTE: I got the SAME thing from the download from the direct download.

SHA256SUM of dl’d image: 05f1af0aa27b1c6edbfef9f8b075d1ff0580ec6194eb6c54a196400001b34b47

Expected SHA256SUM: ec19ba1280e5a05b78a863f3844864a8b0a3b4336028bcfbf143ad4fda44f2c3

Can confirm beyond a reasonable doubt that either 1.) I have been attacked by an adversary or 2.) There is a serious security vulnerability or 3.) I am a moron who screwed up somehow

1 Like

http://cdimage.ubuntu.com/ubuntu-mate/releases/16.04.4/release/SHA256SUMS

http://cdimage.ubuntu.com/ubuntu-mate/releases/16.04.4/release/

05f1af0aa27b1c6edbfef9f8b075d1ff0580ec6194eb6c54a196400001b34b47

16.04.4

ec19ba1280e5a05b78a863f3844864a8b0a3b4336028bcfbf143ad4fda44f2c3

16.04

2 Likes

@lah7 heads up, website hash hasn’t been updated.

FYI, the downloaded ISO from torrent does not match the SHA256SUM as well.

It seems this is a frequent issue. Best bet is to view the list of hashes available at http://cdimage.ubuntu.com/ubuntu-mate/releases/16.04/release/SHA256SUMS and pick the correct iso filename to compare.

1 Like

@wimpy Heads up, those hashes you changed were the 16.04 ones. I’ve amended them so they’re 16.04.4. :thumbsup:

Human error, sorry folks! We ought to automate this process somehow. :confused:

2 Likes

Thanks @lah7