Checking file integrity
Often software available for download will have hashes similar to those shown below (this one is from http://centos.mirror.facebook.net/6.5/isos/x86_64/).
Is it just personnel preference whether md5, sha1, or sha256 is used, or is one better than the other? Are the hash files which end in "asc" also providing protection that the actual hash file is legitimate? How do I use this second hash? I understand how to use md5sum, but then I need to visually compare the two hashes. Is there a good way have the command compare the MD5 of the file to a given hash string, and indicate yes/no whether they match? I take it the reason to do so is to ensure the software is the same as the original author intended. Is the treat that some bad guy might replace the file with some sinister software? If someone could do that, wouldn't it be just as easy to replace the hash files with something that matches the bad software Thank you md5sum.txt: Code:
83221db52687c7b857e65bfe60787838 CentOS-6.5-x86_64-bin-DVD1.iso Code:
-----BEGIN PGP SIGNED MESSAGE----- |
Code:
Is it just personnel preference whether md5, sha1, or sha256 is used, or is one better than the other? Code:
I understand how to use md5sum, but then I need to visually compare the two hashes. Is there a good way have the command compare the MD5 of the file to a given hash string, and indicate yes/no whether they match? Code:
[root@Archx64_VM tmp]# dd if=/dev/urandom bs=1M count=5 of=randomFile Code:
[root@Archx64_VM tmp]# dd if=/dev/urandom bs=1M count=5 of=randomFile Code:
I take it the reason to do so is to ensure the software is the same as the original author intended. Is the treat that some bad guy might replace the file with some sinister software? If someone could do that, wouldn't it be just as easy to replace the hash files with something that matches the bad software Code:
gpg --verify md5sum.txt.asc |
As stated, md5 is broken so it is NOT preferred. sha1 is getting a bit old. The best hash of the three would be sha-256.
The .asc file is PGP signed. You can verify it using 'gpg --verify file.asc'. It verifies BOTH the integrity and authenticity of the file. Hashes only validate the integrity. Now that isn't to say that PGP signatures can't be faked: http://it.slashdot.org/story/14/03/2...velopers-found Understand that if someone breaches a server, they will likely alter all relevant files to make them match. The hardest one to alter is the .asc file because it relies on a the PGP key server, which is a different server. Technically, you could improve security using regular hashes by using different servers for different parts, that way they would have to alter multiple servers to get everything to match up. To verify checksum files use the '-c' option, it's the same option for md5sum, sha1sum, sha512sum. 'sha1sum -c checksums.sha1' |
Thank you all.
OK, I take it that md5/sha1/sha256 are all probably adequate for this application, but, I should use the strongest hashing algorithms provided (i.e. sha256) if I am not concerned about CPU demands. Also, I understand that the .asc files are used to authenticity the file. What do they authenticate against? Maybe "/etc/pki/rpm-gpg/RPM-GPG-KEY*"? |
I've tried a bit more, but still don't understand who I could trust. How do I establish the original trust?
Code:
[root@michales ~]# gpg --verify sha256sum.txt.asc Code:
[root@michales ~]# gpg --gen-key |
Try this.
|
Quote:
It still just hangs, however. How long does it take to "generate a lot of random bytes"? I've waited 45 minutes before ^C, and killing the process. |
Guess I just had to wait for gpg --gen-key. Took about 50 minutes or so.
Back to the original question. When verifying a file using 'gpg --verify file.asc', how do I know it is valid since it certified with a trusted signature? Code:
[root@michales ~]# gpg --verify sha256sum.txt.asc |
|
Thanks mddesai, That was helpful.
So, when generating a key, it is mandatory to add a comment? The utube video used the comment kind of like a username, and used commands such as "gpg --encrypt --recipient user file.txt" and "gpg --armor --output Michael_PUBKEY.txt --export user". Why not use the linux username? I think I am still uncertain on my previous question, but let me digest this for a bit. Thanks |
All times are GMT -5. The time now is 09:58 PM. |