[SOLVED] Is my saved OS' checksum what it currently is or what it should be?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You don't need to dd the file, just generate the checksum for the downloaded file and compare it to the advertised checksum. This is not rocket science. https://itsfoss.com/checksum-tools-guide-linux/
Thanks for the link, but I'm checking a livedvd, not an iso - can't use "sha256sum isoname.iso".
I don't know what you mean by the 'checksum.txt document". The checksum file is on the Debian download site, but you have to download it separately, it doesn't come automatically. But yes, generate the checksum for the file you downloaded, and compare the output to the fingerprint in the text file you downloaded.
Thanks. When I download debian buster, if I recall correctly, I get a "sha256sum.txt" document. I always wondered if the checksum in that document was the automatic output for the file I just downloaded, or if it was the checksum on debian's website to check against.
Based on what you stated above, it is NOT for the file I just downloaded, but rather, exactly what I will find on debian's website. As you said, run my own checksum for the file I just downloaded, and then I can compare it against either the online checksum or this "sha256sum.txt" file, as they should both be the same.
Thank you!! I was getting close to losing my sanity
@duupunisher2x, a checksum is posted for a file so that you can be assured that the file did not get altered during download. No man in the middle attack, no corruption in the download.
You have a file on your machine named ls.
Code:
which ls
/usr/bin/ls
md5sum /usr/bin/ls
27ac5e2f7573020dbff16b3b9c03e678 /usr/bin/ls
sha1sum /usr/bin/ls
0ca5dcdf79d00cbc893a5cca29695f2afddc193d /usr/bin/ls
That is the checksum for the ls that is on this machine. Yours will no doubt be different. You have a different version, compiled for a different kernel, different version of gcc, different source etc.
I can checksum that file, send it to you, if you checksum it, it will have the same checksum, or something is wrong, don't use it.
Quote:
So the "checksum.txt document" that comes with the debian download is there so that I don't have to go looking online for a website
Where did you get the file to start with? After you downloaded it is the time to check it.
Quote:
(assuming I don't know where to find the debian checksums online)
a checksum is posted for a file so that you can be assured that the file did not get altered during download.
And then what do I do with that downloaded checksum? I run my own checksum and compare the two checksums, correct?
Code:
Then where did you get the debian .iso?
I was just trying to say that debian includes the checksum on the download as a 'courtesy' so that ppl who don't know where to find the debian posted checksum can still check their checksum against the debian one. In the past I didn't know where to find it.
I download directly from debian site, always.
Last edited by duupunisher2x; 09-10-2020 at 06:18 PM.
So the "checksum.txt document" that comes with the debian download is there so that I don't have to go looking online for a website, (assuming I don't know where to find the debian checksums online) to find out what the REAL checksum is (NOT my downloaded .txt doc checksum) - that's what the .txt document is for....yes?
Please tell me yes or no, thank you.
Please read their documentation, website, and the other posts in this thread. You can either look in that file or on their website...not sure how much more plain to be.
I see the post is already long, and closed as SOLVED.
But here is my contribution.
Nowadays, most ISOs for discs to be burnt (but really end up on USB key for installation), have in them somehow appended at their end the checksum.
So if you have downloaded an ISO file, and without carrying about its associated checksum file, you can validate its integrity with the command below.
Code:
# checkisomd5 /path/to/file_to_burn.iso
Press [Esc] to abort check.
The media check is complete, the result is: PASS.
It is OK to use this media.
On my CentOS 7 system the command checkisomd5 came from package isomd5sum-1.0.10-5.el7.x86_64.
I see the post is already long, and closed as SOLVED.
But here is my contribution.
Nowadays, most ISOs for discs to be burnt (but really end up on USB key for installation), have in them somehow appended at their end the checksum.
So if you have downloaded an ISO file, and without carrying about its associated checksum file, you can validate its integrity with the command below.
Code:
# checkisomd5 /path/to/file_to_burn.iso
Press [Esc] to abort check.
The media check is complete, the result is: PASS.
It is OK to use this media.
On my CentOS 7 system the command checkisomd5 came from package isomd5sum-1.0.10-5.el7.x86_64.
I am not familiar with the checkisomd5 command, but wouldn't that mean that an ISO which had been modified, including modification of the checksum value it carries in itself, would pass verification? That would tell you whether the ISO data has been corrupted during transfer, but not whether it has been modified from the original.
Only comparison with the checksum published by the original packager is safe for detecting both transfer corruption and intentional modification by someone else.
You can think of the package isomd5sum and its command implantisomd5 (counter part of checkisomd5), as the possibilitiy to glue together the the iso file and its checksum, that in order to guarantee that whenever you access the iso file its checksum is right there to validate the accuracy. There no way they can get separated.
Then the other problem of ensuring that the file had been downloaded correctly (without transit corruption) is still solve the same by verifying the checksum.
I read the man pages for both of those, but it still appears to me that it only solves the second problem of detecting corruption during transit. It only tells you that the locally generated checksum agrees with the embedded checksum. It cannot tell you whether the iso and the embedded checksum have been modified from the published package and separately published checksum.
Quote:
Originally Posted by tshikose
You can think of the package isomd5sum and its command implantisomd5 (counter part of checkisomd5), as the possibilitiy to glue together the the iso file and its checksum, that in order to guarantee that whenever you access the iso file its checksum is right there to validate the accuracy. There no way they can get separated.
But separation of the checksum is not the problem to be solved by verifying agreement with the checksum published separately by the original packager.
The problem to be solved is detection of intentional, possibly malicious modification of the iso, which would imply modification of the embedded checksum value using implantisomd5 no doubt. Checkisomd5 cannot do that.
Quote:
Originally Posted by tshikose
Then the other problem of ensuring that the file had been downloaded correctly (without transit corruption) is still solve the same by verifying the checksum.
This is the only problem solved by checkisomd5 as far as I can tell.
The presence of a checksum along side the iso file, will provide no way to guaranteed that the iso file is "genuine".
There is no way around that, unless you do your own iso file that you trust.
But as we do use iso files from "other", we first need to trust "other".
When I downloaded the iso for Fedora 32 for example, it meant that I did trust Fedora.
But it does not necessarily meant that the owner of the web site from where I downloaded it (or the friend of mine who handed me the DVD), provided me with a genuine copy as the one Fedora built. As you mentioned, the checksum would have been altered to match the actual data in the "forged" iso file. So checking it will not help me out.
The solution, as I trust Fedora, is to get their public GPG key, import it, and ultimately check the checksum file in order to ensure its integrity and authenticity. Indeed, checksum files from Fedora (and other serious publishers), contain embedded GPG integrity signatures signed by their private key, that one can verify with their available public GPG key.
But me in practise, I just download the iso files, and then check them with checkisomd5 or with the provided checksum file.
I rarely do the check with the known publisher public GPG key.
But me in practise, I just download the iso files, and then check them with checkisomd5 or with the provided checksum file.
I rarely do the check with the known publisher public GPG key.
I think you do not understand. When you try to get anything from anywhere, but somehow the url is redirected to a different site you will download something else, not the original file. checkisomd5 will never detect this kind of alteration. But using an official md5sum will do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.