[tex-live] TeXLive installation: Integrity Checks, Cryptographic Signatures?

Moritz Schulte moritz.schulte at rub.de
Thu Aug 20 10:21:37 CEST 2015


since I am having trouble with the TeXLive version packaged for my OS
Distribution, I would like to install a recent 'vanilla' TeXLive version
from https://www.tug.org/texlive/.

I was surprised to realize that
https://www.tug.org/texlive/acquire-netinstall.html does not promote any
(easily accessible) way for doing integrity checks for the installer.
After some digging I figured out that one can download the sha256
checksums from https://www.ctan.org/tex-archive/systems/texlive/tlnet.
Is there any particular reason for
not making these checksums easily findable? If not, I would like to make
the suggestion of adding these checksums to the primary download page
for the TeXLive installers.

(Of course, checksums published on a webpage could potentially also be
forged, but without some kind of trust link this problem is difficult to
solve. Hence, spreading the checksums is at least something...)

My second question is about the tlmgr program. When I install packages
using tlmgr, does it do integrity checks, e.g. by comparing checksums or
by verifying cryptographic signatures? Maybe I have overlooked
something, but so far I couldn't find anything in the manual of tlmgr.

I have a bad feeling when executing code on my system without any way of
making sure that the code is in fact the code it is supposed to be. It
would be helpful if the manual would mention this.

Thank you very much,
Moritz Schulte

More information about the tex-live mailing list