[SOLVED] Is my saved OS' checksum what it currently is or what it should be?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is my saved OS' checksum what it currently is or what it should be?
debian buster
QUESTION UPDATED - PLEASE RE-READ!!! Thanks.
The 'checksum' in the "checksum text document" that automatically downloads with the iso image - is this the online checksum from the distro's website?
If yes, then if my download iso were corrupted, and I ran a checksum test using my terminal, then the checksum output that 'I' generate in my terminal will be 'different' than the "checksum text document" that came with my download.
I think the updated question can be answered yes or no.
Thanks
Last edited by duupunisher2x; 09-07-2020 at 12:59 PM.
i don't understand your question. The checksum always belongs to a file. So the [debian buster] image and its checksum are inseparable. Different images are different files with different checksums. These checksums cannot be transferred or applied to any other file but the original one.
The checksum itself is generated (calculated) from the file (iso image).
The checksum is valid only for the file you originally downloaded. Current .iso files on the download site may be, and probably are, different. The only reason to use the checksum is to insure that the file you just downloaded is valid. The file on the website, and its checksum, may be different tomorrow. That is expected. You cannot use the checksum you downloaded last year and compare it to anything available now.
The checksum is valid only for the file you originally downloaded. Current .iso files on the download site may be, and probably are, different. The only reason to use the checksum is to insure that the file you just downloaded is valid. The file on the website, and its checksum, may be different tomorrow. That is expected. You cannot use the checksum you downloaded last year and compare it to anything available now.
Thanks but when I check the checksum online for debian 9.4.0 - why would it have changed? The checksum for debian 10.5 will be different from 9.4.0.
So it seems to me, correctly or incorrectly, that the "online" checksum for debian 9.4.0 will always be the same for years to come. Please correct me if I am wrong. Thanks.
The 9.4 .iso could have been changed for any number of reasons. The checksum does not apply to the 9.4 .iso generally, but to a specific file available for download. Anything that old could have had packages updated in it for security reasons, or for other reasons. Again, a checksum is valid for one file, and one file only. It is valid only for the file currently available for download, not for any previous or subsequent files. It is calculated based on the contents of the file, and even a one byte change in the file will change the checksum.
i don't understand your question. The checksum always belongs to a file. So the [debian buster] image and its checksum are inseparable. Different images are different files with different checksums. These checksums cannot be transferred or applied to any other file but the original one.
The checksum itself is generated (calculated) from the file (iso image).
The "checksum text document" that automatically downloads with the iso image. Is this the online checksum from the distro's website?
Last edited by duupunisher2x; 09-07-2020 at 12:36 PM.
The 9.4 .iso could have been changed for any number of reasons. The checksum does not apply to the 9.4 .iso generally, but to a specific file available for download. Anything that old could have had packages updated in it for security reasons, or for other reasons. Again, a checksum is valid for one file, and one file only.
Ok, thanks. So when I compare the checksum I create with my terminal to the online checksum posted by debian for 9.4live, and they are the same, is there any reason to doubt that my checksum and liveimage are non-corrupted and perfectly safe to use?
Ok, thanks. So when I compare the checksum I create with my terminal to the online checksum posted by debian for 9.4live, and they are the same, is there any reason to doubt that my checksum and liveimage are non-corrupted and perfectly safe to use?
Thx
No. If the checksum you generate is identical to the online checksum, you can be sure that the files are identical, down to the byte. If you got the file from the Debian website, you can trust it. If you got it elsewhere, there is no guarantee of anything.
It sounds like the answer to my "updated question above" is no.
In this case, the checksum within the "checksum text document" that came with my download, is only applicable to my actual download, and not necessarily what the correct checksum is for this operating system (which I would find on https://www.debian.org/CD/verify.en.html).
Therefore, if I download the iso from 3 different websites, and all 3 iso's were corrupted, the "checksum text document" that comes with the download would or could be different for all 3.
Last edited by duupunisher2x; 09-07-2020 at 01:29 PM.
Yes. I have no idea why you would want to download from multiple sites, though. The only site I trust is the Debian site. Note, there are multiple .iso for any release. You can get them for small CDs, minimal netinstall, liveDVD, and more. Each will have a different checksum. Use the checksum for only the file you download. All others are invalid. It's easy for someone to add malware and put it on a site. The checksum of the file with the malware could easily check against the file, and you have no way of knowing it. Checksums only check against an individual file. Some distros have had their repositories hacked (cough, green, cough) and people downloaded .iso's and packages that were infected. Debian's security seems good, and no one has been able to hack the repositories so far. If you're concerned about security, only download Debian from the Debian sites, nowhere else.
Yes. I have no idea why you would want to download from multiple sites, though. The only site I trust is the Debian site. Note, there are multiple .iso for any release. You can get them for small CDs, minimal netinstall, liveDVD, and more. Each will have a different checksum. Use the checksum for only the file you download. All others are invalid. It's easy for someone to add malware and put it on a site. The checksum of the file with the malware could easily check against the file, and you have no way of knowing it. Checksums only check against an individual file. Some distros have had their repositories hacked (cough, green, cough) and people downloaded .iso's and packages that were infected. Debian's security seems good, and no one has been able to hack the repositories so far. If you're concerned about security, only download Debian from the Debian sites, nowhere else.
I have no idea how this question got so complicated
First, downloading from 3 different websites was just an example to try to clarify my point.
Sgosnell, you stated "yes". So then the checksum that automatically comes with the debian download (ie: the checksum.txt document) is the DISTRO ONLINE checksum for my download, and NOT NECESSARILY the same checksum as the checksum for the download I just downloaded, yes?
If yes, this means that I need to "sudo dd if=/dev/cdrom count=x bs=y | sha256sum" and compare it to the "checksum.txt document" that just came included with my download, yes?
Thank you.
Last edited by duupunisher2x; 09-07-2020 at 08:03 PM.
You don't need to dd the file, just generate the checksum for the downloaded file and compare it to the advertised checksum. This is not rocket science. https://itsfoss.com/checksum-tools-guide-linux/
You don't need to dd the file, just generate the checksum for the downloaded file and compare it to the advertised checksum. This is not rocket science. https://itsfoss.com/checksum-tools-guide-linux/
So the "checksum.txt document" that comes with the debian download is there so that I don't have to go looking online for a website, (assuming I don't know where to find the debian checksums online) to find out what the REAL checksum is (NOT my downloaded .txt doc checksum) - that's what the .txt document is for....yes?
Please tell me yes or no, thank you.
Last edited by duupunisher2x; 09-07-2020 at 08:50 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
