Unfortunately, it is not possible to verify the authenticity of Windows .iso files because Microsoft does not sign their releases.
Besides opening a bug report with Microsoft, the best way to minimize the risk of obtaining a maliciously-altered copy of Windows is to obtain the .iso file via the 3TOFU harm-reduction process: download the file multiple times, from multiple networks (eg Tor, VPN, ISP), on multiple days. If the hash of all three downloads matches, then the file is trusted to be likely authentic.
⚠ NOTE: 3TOFU is a process in harm reduction.
It is dangerous to download software whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, since Microsoft provides no means to verify their software cryptographically after download, using 3TOFU may reduce your risk.
Note also that verifying the .iso with the hashes provided by Microsoft provide no security, since they're obtained from the same place as the .iso. If an attacker modified the .iso that you're downloading, then it's trivial for them to modify the hash too.
3TOFU Process
To best mitigate targeted attacks, 3TOFU should be done:
- On three distinct days
- On three distinct machines (or VMs)
- Exiting from three distinct countries
- Exiting using three distinct networks
For example, I'll usually execute
- TOFU #1/3 in TAILS (via Tor)
- TOFU #2/3 in a Debian VM (via VPN)
- TOFU #3/3 on my daily laptop (via ISP)
The possibility of an attacker maliciously modifying something you download over your ISP's network are quite high, depending on which country you live-in.
The possibility of an attacker maliciously modifying something you download onto a VM with a freshly installed OS over an encrypted VPN connection (routed internationally and exiting from another country) is much less likely, but still possible -- especially for a well-funded adversary.
The possibility of an attacker maliciously modifying something you download onto a VM running a hardened OS (like Whonix or TAILS) using a hardened browser (like Tor Browser) over an anonymizing network (like Tor) is quite unlikely.
The possibility for someone to execute a network attack on all three downloads is very near-zero -- especially if the downloads were spread-out over days or weeks.
3TOFU bash Script
For example, you can execute the following bash script for each 3TOFU of the Windows .iso file.
REMOTE_FILES="https://software-download.microsoft.com/db/Win10_20H2_v2_English_x64.iso?t=678f5b15-082a-4efb-8190-adc59cdcea87&e=1612452261&h=3ec44f5c20d933fbf28ffeea4fbfbe0a"
CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"
in tails, we must torify
if [[ "whoami" == "amnesia" ]] ; then
CURL="/usr/bin/torify ${CURL}"
WGET="/usr/bin/torify ${WGET}"
PYTHON="/usr/bin/torify ${PYTHON}"
fi
tmpDir=mktemp -d
pushd "${tmpDir}"
first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1
and today's date
date -u +"%Y-%m-%d"
get the file
for file in ${REMOTE_FILES}; do
wget ${file}
done
checksum
date -u +"%Y-%m-%d"
sha256sum *
Here's one example execution of the above script (on a debian DispVM, executed with a VPN).
/tmp/tmp.xT9HCeTY0y ~
Canada
2024-05-04
...
2024-05-04
b284afcc298cc6f5da6ab4d483318c453b2074485974b71b16fdfc7256527cb1 Win10_20H2_v2_English_x64.iso
The TOFU output above shows that the Windows .iso file has a sha256 hash of "b284afcc298cc6f5da6ab4d483318c453b2074485974b71b16fdfc7256527cb1".
When doing a 3TOFU, save the output of each execution. After collecting output from all 3 executions (intentionally spread-out over 3 days or more), diff the output.
If the output of all three TOFUs match, then the confidence of the file's authenticity is very high.
Attribution
The code snippet above was copied from the following website, licensed CC BY-SA.
