Is my saved OS' checksum what it currently is or what it should be?
 

debian buster


QUESTION UPDATED - PLEASE RE-READ!!! Thanks.


The 'checksum' in the "checksum text document" that automatically downloads with the iso image - is this the online checksum from the distro's website?

If yes, then if my download iso were corrupted, and I ran a checksum test using my terminal, then the checksum output that 'I' generate in my terminal will be 'different' than the "checksum text document" that came with my download.


I think the updated question can be answered yes or no.

Thanks

i don't understand your question. The checksum always belongs to a file. So the [debian buster] image and its checksum are inseparable. Different images are different files with different checksums. These checksums cannot be transferred or applied to any other file but the original one.
The checksum itself is generated (calculated) from the file (iso image).

Get a current install image, checksum it after you downloaded it to make sure that it is not corrupted, install it.

https://www.debian.org/CD/
https://www.debian.org/distrib/netinst
https://cloud.debian.org/images/cloud/

The checksum is valid only for the file you originally downloaded. Current .iso files on the download site may be, and probably are, different. The only reason to use the checksum is to insure that the file you just downloaded is valid. The file on the website, and its checksum, may be different tomorrow. That is expected. You cannot use the checksum you downloaded last year and compare it to anything available now.

Thanks but when I check the checksum online for debian 9.4.0 - why would it have changed? The checksum for debian 10.5 will be different from 9.4.0.

So it seems to me, correctly or incorrectly, that the "online" checksum for debian 9.4.0 will always be the same for years to come. Please correct me if I am wrong. Thanks.

The 9.4 .iso could have been changed for any number of reasons. The checksum does not apply to the 9.4 .iso generally, but to a specific file available for download. Anything that old could have had packages updated in it for security reasons, or for other reasons. Again, a checksum is valid for one file, and one file only. It is valid only for the file currently available for download, not for any previous or subsequent files. It is calculated based on the contents of the file, and even a one byte change in the file will change the checksum.

The "checksum text document" that automatically downloads with the iso image. Is this the online checksum from the distro's website?

Ok, thanks. So when I compare the checksum I create with my terminal to the online checksum posted by debian for 9.4live, and they are the same, is there any reason to doubt that my checksum and liveimage are non-corrupted and perfectly safe to use?

Thx

No. If the checksum you generate is identical to the online checksum, you can be sure that the files are identical, down to the byte. If you got the file from the Debian website, you can trust it. If you got it elsewhere, there is no guarantee of anything.

It sounds like the answer to my "updated question above" is no.

In this case, the checksum within the "checksum text document" that came with my download, is only applicable to my actual download, and not necessarily what the correct checksum is for this operating system (which I would find on https://www.debian.org/CD/verify.en.html).

Therefore, if I download the iso from 3 different websites, and all 3 iso's were corrupted, the "checksum text document" that comes with the download would or could be different for all 3.

Yes. I have no idea why you would want to download from multiple sites, though. The only site I trust is the Debian site. Note, there are multiple .iso for any release. You can get them for small CDs, minimal netinstall, liveDVD, and more. Each will have a different checksum. Use the checksum for only the file you download. All others are invalid. It's easy for someone to add malware and put it on a site. The checksum of the file with the malware could easily check against the file, and you have no way of knowing it. Checksums only check against an individual file. Some distros have had their repositories hacked (cough, green, cough) and people downloaded .iso's and packages that were infected. Debian's security seems good, and no one has been able to hack the repositories so far. If you're concerned about security, only download Debian from the Debian sites, nowhere else.

I have no idea how this question got so complicated :)

First, downloading from 3 different websites was just an example to try to clarify my point.

Sgosnell, you stated "yes". So then the checksum that automatically comes with the debian download (ie: the checksum.txt document) is the DISTRO ONLINE checksum for my download, and NOT NECESSARILY the same checksum as the checksum for the download I just downloaded, yes?

If yes, this means that I need to "sudo dd if=/dev/cdrom count=x bs=y | sha256sum" and compare it to the "checksum.txt document" that just came included with my download, yes?

Thank you.

You don't need to dd the file, just generate the checksum for the downloaded file and compare it to the advertised checksum. This is not rocket science. https://itsfoss.com/checksum-tools-guide-linux/

So the "checksum.txt document" that comes with the debian download is there so that I don't have to go looking online for a website, (assuming I don't know where to find the debian checksums online) to find out what the REAL checksum is (NOT my downloaded .txt doc checksum) - that's what the .txt document is for....yes?

Please tell me yes or no, thank you.