[texhax] TeXLive installation: Integrity Checks, Cryptographic Signatures?

Moritz Schulte Moritz.Schulte at ruhr-uni-bochum.de
Wed Aug 19 16:01:03 CEST 2015


Dear TUG,

since I am having trouble with the TeXLive version packaged for my OS 
Distribution, I
would like to install a recent 'vanilla' TeXLive version from 
https://www.tug.org/texlive/.

I was surprised to realize that 
https://www.tug.org/texlive/acquire-netinstall.html does not
promote any (easily accessible) way for doing integrity checks for the 
installer. After some
digging I figured out that one can download the sha256 checksums from
https://www.ctan.org/tex-archive/systems/texlive/tlnet. Is there any 
particular reason for
not making these checksums easily findable? If not, I would like to make 
the suggestion of
adding these checksums to the primary download page for the TeXLive 
installers.

(Of course, checksums published on a webpage could potentially also be 
forged, but without
some kind of trust link this problem is difficult to solve. Hence, 
spreading the checksums
is at least something...)

My second question is about the tlmgr program. When I install packages 
using tlmgr, does it
do integrity checks, e.g. by comparing checksums or by verifying 
cryptographic signatures?
Maybe I have overlooked something, but so far I couldn't find anything 
in the manual of
tlmgr.

I have a bad feeling when executing code on my system without any way of 
making sure that
the code is in fact the code it is supposed to be. It would be helpful 
if the manual would
mention this.

Thank you very much,
Moritz Schulte



More information about the texhax mailing list