Trust on first use makes a ton of sense. It would be nice if the PGP people explained that prominently.

That’s Plan D in my OP. I still find hashes more convenient than PGP, but I’ll give PGP another try.

Not sure what you’re getting at.

plan A in my OP goes great. ubuntu.com has rarely if ever been compromised. They provide sha256 hashes over HTTPS via that site, see here. It’s signed with Lets Encrypt which updates every 90 days. In theory the Ubuntu PGP keys are more secure (less moving parts /attack surface) than their server, but in practice a compromise of Ubuntu.com lasting longer than 90 days would be extraordinary. Most times I see mirrors, the hashes are provided on the main site, which renders the mirrors obviously correct or incorrect. I can download an Ubuntu ISO from malware.ru and verify that it’s authentic with the sha hash.

The only flaw I have found in plan A is plan D.

❌ plan D

• bad guy owns software.org
• did not compromise the public key (created years prior by the true owner)
• they cannot distribute software that matches the public key
• software is malware, served over valid https, and verifiable with malware hashes served by bad guy

With a hash, assuming you can verify it properly, you know ubuntu.com served you what it wanted to serve you.

Getting an md5 or sha-1 hash is pretty easy even on Windows. There’s some BS md5 or sha function built in to Windows if you know where to look. It’s built in to most unixes with commands like md5sum and shasum. Those algorithms have few if any real-world flaws, but sha256 is plenty popular now and has no(?) known flaws.

If this is some comment in the vein of “Reflections on Trusting Trust” – there are tons of hash programs out there that can be run offline that will predate software to be hashed by years if not decades. I trust these myriad programs to provide accurate hashes.

HTTPS is super convenient. If you’re paranoid, or the entire chain is not HTTPS (HTTPS links to HTTP downloads), you can use a hash program.