LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-27-2017, 06:26 AM   #1
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Rep: Reputation: Disabled
How to use sha512sum on an iso file


I have downloaded a .iso file for debian 9 and now need to do a checksum on the file.

So how do I use sha512sum on the command line to verify the iso file?
Many thanks.
 
Old 10-27-2017, 07:01 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,164
Blog Entries: 3

Rep: Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061
One way would be to cd to the directory where your downloaded file resides. Then run the program with the file name as the first option:

Code:
sha256sum the_full_file_name.iso
be sure to check the manual page before and after. The manual pages will make more sense the more you get used to them.

Code:
man sha256sum
They vary in quality though, but in general function as good reference documents. For tutorials or guides turn to the search engines.
 
1 members found this post helpful.
Old 10-27-2017, 11:08 AM   #3
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
One way would be to cd to the directory where your downloaded file resides. Then run the program with the file name as the first option:

Code:
sha256sum the_full_file_name.iso
I've completed the sha256sum command and it's given me a hash number.
However, I can't find the debian page which has the corresponding sha256sum number.
The debian site doesn't seem to be showing a link.

Also, when I use:
Code:
sha256sum -c .isofile
I get some weird error message.
So although the sha256sum command gives a proper output, the -c option gives a weird result.
The man page says -c means 'check' but Wikipedia says it means 'has it downloaded properly'
 
Old 10-27-2017, 11:24 AM   #4
DVOM
Member
 
Registered: Nov 2010
Posts: 223

Rep: Reputation: 48
Quote:
Originally Posted by firenze465 View Post
I've completed the sha256sum command and it's given me a hash number.
However, I can't find the debian page which has the corresponding sha256sum number.
The debian site doesn't seem to be showing a link.
Take the hash number and copy/paste it into google and see what ya get.
 
1 members found this post helpful.
Old 10-27-2017, 11:27 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,164
Blog Entries: 3

Rep: Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061
The -c option isused to point to a file containing a list of SHA256 checksums and corresponding file names. It is good if you have transfered a whole directory of files at once and the person you download from has prepared such a file.

Code:
mkdir /tmp/X/
cd /tmp/X/
date > a
date > b
date > c
date > d

sha256sum {a..d} > checksums
more checksums

sha256sum -c checksums

date > d

sha256sum -c checksums
But back to your verification question, the checksum file for the Debian images should be in the same diectory you downloaded the ISO-9660 image from. So in

https://cdimage.debian.org/debian-cd...amd64/iso-dvd/

You have several choices. If you choose the SHA256 option, then download both SHA256 and SHA256.sign Then verify the former using the latter and OpenPGP:

Code:
gpg --verify  SHA256SUMS.sign SHA256SUMS
If you need the key, that is another adventure. But if you have the key and if SHA256SUMS is ok, then you can use it to check your file to make sure your .iso file is authentic.

Code:
sha256sum -c SHA256SUMS
If you do not have the right key and don't wish to get it, you can still use that method but it will only tell you if the .iso file downloaded correctly rather than whether it is authentic or not.

Again, that should be done in the same directory as the .iso file.
 
Old 10-27-2017, 11:31 AM   #6
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,164
Blog Entries: 3

Rep: Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061
Oh, and where I've been writing sha256sum and SHA256SUMS and SHA256SUMS.sig, swap 256 with 512.

You've been asking about 512 and I've been mistakenly answering about 256. The method is the same, just the file names are different.
 
Old 10-27-2017, 12:45 PM   #7
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by DVOM View Post
Take the hash number and copy/paste it into google and see what ya get.
The search showed me a few debian mirrors.
Well, at least it's found the right website!
 
Old 10-27-2017, 01:11 PM   #8
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
The -c option isused to point to a file containing a list of SHA256 checksums and corresponding file names. It is good if you have transfered a whole directory of files at once and the person you download from has prepared such a file.
I see. So the -c option is used when you have a file with a list of filenames and their corresponding checksums.
The man pages are hit and miss as you say, but thank you for clarifying.

Quote:
the checksum file for the Debian images should be in the same diectory you downloaded the ISO-9660 image from. So in

https://cdimage.debian.org/debian-cd...amd64/iso-dvd/ You have several choices.
I am making a netinstall. The debian page doesn't seem to have a verification process.
Is that because the majority of the OS is coming from the debian repository?
Or do I still have to verify the netinstall?

Quote:
If you choose the SHA256 option, then download both SHA256 and SHA256.sign Then verify the former using the latter and OpenPGP:
The cdimage.debian page shows md5sums. But Wikipedia says it's not secure
 
Old 10-27-2017, 01:13 PM   #9
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Oh, and where I've been writing sha256sum and SHA256SUMS and SHA256SUMS.sig, swap 256 with 512.

You've been asking about 512 and I've been mistakenly answering about 256. The method is the same, just the file names are different.
I think the 512 is for a 64-bit processor but I can't find the link.
 
Old 10-27-2017, 01:18 PM   #10
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,164
Blog Entries: 3

Rep: Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061
MD5 is a weaker hash algorithm. Yes, it's insecure and should be avoided, at least in this kind of thing. However, if you look at the Debian download pages there should be SHA256 or SHA512 files available. To over simplify, SHA-2 is the algorithm and 256 or 512 is the size of the resulting hash.
 
Old 10-28-2017, 10:44 AM   #11
DVOM
Member
 
Registered: Nov 2010
Posts: 223

Rep: Reputation: 48
Quote:
Originally Posted by firenze465 View Post
The search showed me a few debian mirrors.
Well, at least it's found the right website!
It didn't just find the right website, it found your hash number. Which means your ISO passed the test.

And if you look at the debian download site, they provide "md5" "sha1" "sha256" and "sha512" for each ISO.
 
Old 10-28-2017, 01:29 PM   #12
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by DVOM View Post
It didn't just find the right website, it found your hash number. Which means your ISO passed the test.

And if you look at the debian download site, they provide "md5" "sha1" "sha256" and "sha512" for each ISO.
The search engine certainly has found a connection with the debian website.
However, this isn't the usual verification method.

Debian has many types of .iso files: netinst, networking install, live and DVD.
The cdimage.debian site only has checksums for the DVD types.
I'm wondering why there aren't checksums provided for all the other types.
It's possible checksums might not be needed - but I can't find any info on it.
 
Old 10-28-2017, 01:40 PM   #13
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,164
Blog Entries: 3

Rep: Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061Reputation: 2061
The checksums actually are provided for the other types. Take a look at this mirror:

https://cdimage.debian.org/debian-cd.../amd64/iso-cd/

Notice that the contents of SHA512SUMS lists all three disc images:

https://cdimage.debian.org/debian-cd...-cd/SHA512SUMS

You'd download the disc image, download the SHA file, then use the -c option with sha512sum, after verifying it with the .sig file. Maybe the --ignore-missing option would be nice, too. However, with just one or two missing files, it's not going to be a big deal to leave that off.

Last edited by Turbocapitalist; 10-28-2017 at 01:42 PM.
 
1 members found this post helpful.
Old 10-28-2017, 04:31 PM   #14
DVOM
Member
 
Registered: Nov 2010
Posts: 223

Rep: Reputation: 48
Quote:
Originally Posted by firenze465 View Post
The search engine certainly has found a connection with the debian website.
However, this isn't the usual verification method.

Debian has many types of .iso files: netinst, networking install, live and DVD.
The cdimage.debian site only has checksums for the DVD types.
I'm wondering why there aren't checksums provided for all the other types.
It's possible checksums might not be needed - but I can't find any info on it.
How about posting the name of your ISO.

This isn't near as difficult as you're making it. Whenever you d/l an ISO, you should grab the hash numbers at the same time.

And those debian sites that your google search found, at least one of those pages has all the info that you're looking for.
 
Old 10-29-2017, 07:14 AM   #15
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
The checksums actually are provided for the other types. Take a look at this mirror:

https://cdimage.debian.org/debian-cd.../amd64/iso-cd/
I don't know how you found the link but this is what I was looking for. Thank you!

Quote:
You'd download the disc image, download the SHA file, then use the -c option with sha512sum, after verifying it with the .sig file. Maybe the --ignore-missing option would be nice, too. However, with just one or two missing files, it's not going to be a big deal to leave that off.
Well, finally we reach the complicated bit.
I can do a sha512sum on a downloaded .iso file and check that it corresponds with the hash number on the debian site.

But what about the GnuPG bit?
The debian site says 'The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions'.

As you can see, this is a little complicated - I just want a debian OS on usb.
Do you know how I can do the GnuPG bit? Is there a tutorial showing how I can complete the debian verification process? Sorry for all the questions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Friends. Installing distribution with your .iso file only.///Amigos. Como instalar distribuição com seu arquivo.iso, apenas. flaviorobertowolff333 Linux - Hardware 1 03-21-2016 10:20 AM
sha512sum seamonkey-x.xx.checksums marcelp1 Linux - Newbie 4 10-03-2015 01:05 PM
how to make non bootable iso file and iso via linux command line?? npubudu Linux - Newbie 2 02-01-2009 11:31 PM
how to make dvd iso file from cd iso files. hocheetiong Linux - General 1 09-29-2007 05:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration