Thanks for the link, but I'm checking a livedvd, not an iso - can't use "sha256sum isoname.iso".

I don't know what you mean by the 'checksum.txt document". The checksum file is on the Debian download site, but you have to download it separately, it doesn't come automatically. But yes, generate the checksum for the file you downloaded, and compare the output to the fingerprint in the text file you downloaded.

1 members found this post helpful.

Thanks. When I download debian buster, if I recall correctly, I get a "sha256sum.txt" document. I always wondered if the checksum in that document was the automatic output for the file I just downloaded, or if it was the checksum on debian's website to check against.

Based on what you stated above, it is NOT for the file I just downloaded, but rather, exactly what I will find on debian's website. As you said, run my own checksum for the file I just downloaded, and then I can compare it against either the online checksum or this "sha256sum.txt" file, as they should both be the same.

Thank you!! I was getting close to losing my sanity

@duupunisher2x, a checksum is posted for a file so that you can be assured that the file did not get altered during download. No man in the middle attack, no corruption in the download.

You have a file on your machine named ls.
That is the checksum for the ls that is on this machine. Yours will no doubt be different. You have a different version, compiled for a different kernel, different version of gcc, different source etc.

I can checksum that file, send it to you, if you checksum it, it will have the same checksum, or something is wrong, don't use it.

Where did you get the file to start with? After you downloaded it is the time to check it.

Then where did you get the debian .iso?
https://cdimage.debian.org/cdimage/w...amd64/iso-dvd/
https://cdimage.debian.org/cdimage/w...dvd/SHA512SUMS

https://cdimage.debian.org/cdimage/w.../amd64/iso-cd/
https://cdimage.debian.org/cdimage/w...-cd/SHA512SUMS

If there is no checksum posted for an install image, don't download it.

1 members found this post helpful.

And then what do I do with that downloaded checksum? I run my own checksum and compare the two checksums, correct?

I was just trying to say that debian includes the checksum on the download as a 'courtesy' so that ppl who don't know where to find the debian posted checksum can still check their checksum against the debian one. In the past I didn't know where to find it.

I download directly from debian site, always.

yes, exactly that is the purpose of it.

1 members found this post helpful.

Thanks.

As a sidenote - in regards to my original question...

The "courtesy checksum download from debian" included in the download of the OS is what my downloaded .iso, .img, or dvd checksum "should be" .

Thanks to everyone whom contributed!

Please read their documentation, website, and the other posts in this thread. You can either look in that file or on their website...not sure how much more plain to be.

Hi,

I see the post is already long, and closed as SOLVED.
But here is my contribution.

Nowadays, most ISOs for discs to be burnt (but really end up on USB key for installation), have in them somehow appended at their end the checksum.
So if you have downloaded an ISO file, and without carrying about its associated checksum file, you can validate its integrity with the command below.
On my CentOS 7 system the command checkisomd5 came from package isomd5sum-1.0.10-5.el7.x86_64.

I am not familiar with the checkisomd5 command, but wouldn't that mean that an ISO which had been modified, including modification of the checksum value it carries in itself, would pass verification? That would tell you whether the ISO data has been corrupted during transfer, but not whether it has been modified from the original.

Only comparison with the checksum published by the original packager is safe for detecting both transfer corruption and intentional modification by someone else.

Hi astrogeek,

You can think of the package isomd5sum and its command implantisomd5 (counter part of checkisomd5), as the possibilitiy to glue together the the iso file and its checksum, that in order to guarantee that whenever you access the iso file its checksum is right there to validate the accuracy. There no way they can get separated.

Then the other problem of ensuring that the file had been downloaded correctly (without transit corruption) is still solve the same by verifying the checksum.

I read the man pages for both of those, but it still appears to me that it only solves the second problem of detecting corruption during transit. It only tells you that the locally generated checksum agrees with the embedded checksum. It cannot tell you whether the iso and the embedded checksum have been modified from the published package and separately published checksum.

But separation of the checksum is not the problem to be solved by verifying agreement with the checksum published separately by the original packager.

The problem to be solved is detection of intentional, possibly malicious modification of the iso, which would imply modification of the embedded checksum value using implantisomd5 no doubt. Checkisomd5 cannot do that.

This is the only problem solved by checkisomd5 as far as I can tell.

I agree with you.

The presence of a checksum along side the iso file, will provide no way to guaranteed that the iso file is "genuine".
There is no way around that, unless you do your own iso file that you trust.
But as we do use iso files from "other", we first need to trust "other".

When I downloaded the iso for Fedora 32 for example, it meant that I did trust Fedora.
But it does not necessarily meant that the owner of the web site from where I downloaded it (or the friend of mine who handed me the DVD), provided me with a genuine copy as the one Fedora built. As you mentioned, the checksum would have been altered to match the actual data in the "forged" iso file. So checking it will not help me out.

The solution, as I trust Fedora, is to get their public GPG key, import it, and ultimately check the checksum file in order to ensure its integrity and authenticity. Indeed, checksum files from Fedora (and other serious publishers), contain embedded GPG integrity signatures signed by their private key, that one can verify with their available public GPG key.

A good reference is here for Fedora.

But me in practise, I just download the iso files, and then check them with checkisomd5 or with the provided checksum file.
I rarely do the check with the known publisher public GPG key.

I think you do not understand. When you try to get anything from anywhere, but somehow the url is redirected to a different site you will download something else, not the original file. checkisomd5 will never detect this kind of alteration. But using an official md5sum will do.

Thanks for the extra input.

As a sidenote: Would you say that "md5sum" is just as good, if not better, than "sha512sum" ?