Good day my dear Linux Yogi’s,
In todays illustration I am going to show you how you can check the checksum on a file you downloaded from the internet and compare it with the checksum posted on the download page.
Mainly you will find gpg, md5 or sha1 checksums. I will show you how to verify those. In major distributions the tools are already installed. We need md5sum, sha1sum and gpg.
Let’s say you are about to download the latest openfiler installation ISO and see something like the following:
On the right under sha1sum you see the verification hash. Now in order to generate the sha1sum hash or the ISO you downloaded execute the following command.
and it should return something similar to that:
Now you can compare the hash from your console with the one from the website and if they match you have not to worry something could be messed with.
In this example I demonstrate this with the download of an Debian CD ISO. Debian provides a summary file with all md5 hashes for all downloads in the current folder. You should see something like the following:
As you can see the very first file contains all the hashes:
Lets say we downloaded the very first iso on the list above. Execute the following command to generate the md5 hash.
and you should see something like this:
Now you can compare/verify is with the value in the md5 checksum file.
This is the last example and I will demonstrate is with the download of Manjaro Linux ISO. Go ahead and download the ISO and the .sig for that iso. Usually the download website offers instruction for checking. The following comes right of the Manjaro Website.
wget https://github.com/manjaro/packages-core/raw/master/manjaro-keyring/manjaro.gpg --2017-03-07 08:26:03-- https://github.com/manjaro/packages-core/raw/master/manjaro-keyring/manjaro.gpg Resolving github.com (github.com)... 22.214.171.124, 126.96.36.199 Connecting to github.com (github.com)|188.8.131.52|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/manjaro/packages-core/master/manjaro-keyring/manjaro.gpg [following] --2017-03-07 08:26:04-- https://raw.githubusercontent.com/manjaro/packages-core/master/manjaro-keyring/manjaro.gpg Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 184.108.40.206, 220.127.116.11, 18.104.22.168, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|22.214.171.124|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 65577 (64K) [text/plain] Saving to: ‘manjaro.gpg’ manjaro.gpg 100%[===================>] 64.04K --.-KB/s in 0.08s 2017-03-07 08:26:04 (777 KB/s) - ‘manjaro.gpg’ saved [65577/65577] gpg --import manjaro.gpg gpg: key 247B52CC: public key "Guillaume Benoit (Guinux) <email@example.com>" imported gpg: key 11C7F07E: public key "Philip Müller (Called Little) <firstname.lastname@example.org>" imported gpg: key 59152F77: public key "Roland Singer (Manjaro Linux) <email@example.com>" imported gpg: key 5C0102A6: public key "Rob McCathie <firstname.lastname@example.org>" imported gpg: key 604F8BA2: public key "Alexandru Ianu <email@example.com>" imported gpg: key AC97B894: public key "Ramon Buldó <firstname.lastname@example.org>" imported gpg: key 5DCB998E: public key "artoo <email@example.com>" imported gpg: key B35859F8: public key "artoo (manjaro.org) <firstname.lastname@example.org>" imported gpg: key 663CA268: public key "Bernhard Landauer <email@example.com>" imported gpg: key 8DF53602: public key "Stefano Capitani <firstname.lastname@example.org>" imported gpg: key A42D53A2: public key "kendell clark <email@example.com>" imported gpg: key C45EE0AA: public key "artoo-manjaro <firstname.lastname@example.org>" imported gpg: Total number processed: 12 gpg: imported: 12 (RSA: 12) gpg: no ultimately trusted keys found gpg --verify manjaro-xfce-17.0-stable-x86_64.iso.sig gpg: assuming signed data in `manjaro-xfce-17.0-stable-x86_64.iso' gpg: Signature made Mon 06 Mar 2017 03:56:45 PM MST using RSA key ID 11C7F07E gpg: Good signature from "Philip Müller (Called Little) <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A 8C70 CAA6 A596 11C7 F07E
In the above example I set in bold the lines you need to pay attention to and it seems in our case that everything is okay.
I hope that this illustration was useful to you. Please subscribe or register to this blog or forum and if you like to see an article here please drop me a line using my contact form.
Thank you for reading, until next time Namaste my friends!