sha256sun
Robert G. (Doc) Savage
dsavage at peaknet.net
Tue Jun 16 07:29:00 UTC 2009
On Sun, 2009-06-14 at 21:04 +0100, Steve Searle wrote:
> Around 07:20pm on Sunday, June 14, 2009 (UK time), terry scrawled:
>
> > Not quite. You want to -c against the small CHECKSUM file, which contains
> > a list of ISOs and their sha256sums. For example:
> > $ sha256sum -c Fedora-11-i386-CHECKSUM
> >
> >
>
> > I don't get it! you want me to match a downloadable checksum text file
> > to what? how do i get the numbers from the iso file to check against
> > the checksums? you are not telling me all. you are falsely assuming i
> > know more than i do.am I not trying to match the checksums with what
> > the developer says they are to be against what the file contains to
> > insure that the iso file isn't corrupted and reduce later grief during
> > install.
>
> The CHECKSUM file has both the name of the iso and its expected checksum
> in it.
>
> So the command:
>
> $ sha256sum -c Fedora-11-i386-CHECKSUM
>
> Causes it to look fat the iso in whose name is in the checksum file,
> generate a checksum for it and compare that generated checksum against
> the expected one that is held in the CHECKSUM file.
Terry,
Enhance your calm, mate. 'man sha256sum' is your friend. if you look in
the CHECKSUM file you'll see that it contains exactly what the man page
says it should, wrapped inside a GPG signature so you can be sure it
hasn't been tampered with:
$ cat Fedora-11-i386-CHECKSUM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
6e812e782e52b536c0307bb26b3c244e1c42b644235f5a4b242786b1ef375358 *Fedora-11-i386-DVD.iso
48bf00b8aa4d13da9bb13a1a82d835e90ab65ff32d282b58dffae66e70773630 *Fedora-11-i386-disc1.iso
530a4f4486216680bcc68e4b9ccbd667ed1278d668199f90242e5139d000183a *Fedora-11-i386-disc2.iso
b3a8c355c4f78303ea3eea92a4a537c43ddead23bef2a52d0e1f209986ac3811 *Fedora-11-i386-disc3.iso
8318dc3af01bc3f864d6b52c55242444d60fbdbac6ad924190724a2324302730 *Fedora-11-i386-disc4.iso
114152bbbcbe1ad1f5fca4de17b6762a2b86e68c56192b54814f0e0ffe70402b *Fedora-11-i386-disc5.iso
e296683a4702d3ccd6e15faf159c2a9c3f00325bf2a7a28434a3441d68e9e434 *Fedora-11-i386-disc6.iso
b61cf796fa1602ca003b340ca8073d783576507e88db3499d86640b0d20034cd *Fedora-11-i386-netinst.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQIVAwUBSig6YB3Fx1jSLnfyAQhKbw//bmzSaL+G2hPZ0GttiJFlcCr0fvwd+dcw
u76/bXrtnCUMXBeCvXo+1VYJGUUdmVXB2nMrmZ4AvKpQ7nS1nNKxMSeF/65gGBFX
KM7Hv/2a0kkm7N8wU7Jmyicmoyo9JF9AhQXegSnlyxy4QGamX4pQNbm0kAmaV76h
NvHhliASlvpX1clHJGwN5nvz2KQ6x1jiErzYC6LSD4zG+pPZHg6m2Ih05uQdSKdz
Tk9U3DiscrZY88oh5hYcL3YUNDGa/PBrRVCe7MR7Ev7llgkHi82dBLjVZotWCJsO
Gmm5O/t8Dbo3RPuf9eXY8tm0bnh6u1xDn0LQ2xJ8EDWRjg4qfox5Ye0x9VE8Slmz
+7XS+8xEYmjIRBw1fdd99hSNiwh+w7uqjp3RwVa/VySn8BSZ1ozlYX6W6FYbKORG
71rPQCGhpRDlIMS+iruN5zsCZWIdI9AzAhHurLWFjmB7d5YBN22glKxS7Dj8fjWq
sPFswtVGYW+/UlEtUUFPMOtz7a/rBVF/YbZaG4NqeM3lJNwFLyhH/vnWCTKxU2eB
a3XdBu/BnQex2bvWg6EyY06YlKmNMSAEbtKsVDc4OWBobk233qMVyQLlqS17/Spd
2taaPieocEkHOTocDt9o/BXkPi34Jx35BXM9xo/rKlpxlEAbr/noTK7+jcyBGiCu
f9UE3MBkpKQ=
=jUXM
-----END PGP SIGNATURE-----
One important thing to note is that Fedora 11 has made the migration
from using the old MD5 and SHA1 checksums to a 256-bit SHA2 checksum for
all of its integrity checks. This includes the checksums used in RPM and
YUM. The older checksum algorithms can be compromised, and while it's
quite difficult to do, it's possible to hack an ISO or RPM file and
still have it generate the same MD5 or SHA1 checksum as the original. If
you count the digits in the CHECKSUM file, you'll see that a 256-bit
SHA2 checksum contains 64 4-bit hexadecimal (0-9 and a-f) characters in
its message digest hash. Compare that to the 32 and 40 hex characters
generated by MD5 and SHA1 checksums. (If you need even more bits of
assurance, there's SHA512 with a 128 hex character hash.)
Back to business. When you use this CHECKSUM file with the -c option you
should see the following:
$sha256sum -c Fedora-11-i386-CHECKSUM
Fedora-11-i386-DVD.iso: OK
Fedora-11-i386-disc1.iso: OK
Fedora-11-i386-disc2.iso: OK
Fedora-11-i386-disc3.iso: OK
Fedora-11-i386-disc4.iso: OK
Fedora-11-i386-disc5.iso: OK
Fedora-11-i386-disc6.iso: OK
Fedora-11-i386-netinst.iso: OK
Piece of cake. Of course, you're not quite done yet. You have to
successfully burn an ISO file to CD or DVD. To do that, right click on
an ISO file in a Nautilus window and select "Write to Disc...". Then be
sure to run the verification test when using that CD or DVD for the
first time.
--Doc Savage
Fairview Heights, IL
More information about the fedora-list
mailing list