How to verify a linux iso’s checksum and confirm it hasn’t been tampered with
- ROM
- CPU
- RAM
- GPU
Last month, the Linux Mint servers were infiltrated and its standard ISO image was swapped out with a compromised version. While the Linux Mint team was quick to offer fixes and a detection tool, the incident showcased the danger of blindly trusting ISO images without verifying their integrity. But how do you verify the integrity of a Linux ISO image?
Verify the checksum
One method is to verify an ISO’s checksum. A checksum, or hash value, is used to verify the integrity of a given file after it has been stored, compressed, or moved. If you have already downloaded a Linux ISO, the simplest way to verify its checksum is to use the cksum command, which is found on most Unix-like operating systems. The syntax looks like this: cksum [file]. In usage the command looks like this:
The number — 4038471506 — is the checksum value, while “150” is the file size. Now that you have your checksum value, you’ll want to compare it with the checksum file that’s either been included with your downloaded ISO or available in the directory you downloaded it from. If the numbers do not match, the ISO has either been corrupted or tampered with and you should not install it.
Verify the MD5sum
Sometimes a corrupted ISO can still return the correct checksum. Because of this, you’ll also want to test your ISO with MD5sum, which is a special utility designed to use the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash to verify the integrity of a given file. Let’s say you’re downloading Linux Mint 17.3 “Rosa” from this page.
The MD5 value is what you’re going to compare your computed MD5sum to. Now, here’s how to get that MD5sum:
- Open the terminal and find the directory where your ISO lives.
- Now run the following command:
Verify the GPG signature of your ISO
The final step in verifying the integrity of your Linux ISO file is to check that it has been signed using a GPG key. ZDNet writes:
There are actually two ways this can be done, because there are two files involved in the download and verification of the ISO image. The obvious way is to sign the image itself (Manjaro Linux does it this way). The alternative is to sign the checksum file. The theory here is that if the checksum of the ISO image matches what it says in the checksum file, and you know that the checksum file hasn’t been modified, then you also know that the ISO file hasn’t been modified.
First things first: You’ll need to download the signed file and the GPG public key from your Linux distro’s directory, if you haven’t done this already. Then provide the gpgv utility with the keyfile with your public key, the signature file, and your ISO. ZDNet gives an example:
If it says “Good signature” as it does above, you’re in the clear. But for the truly cautious (you’re not paranoid if they’re out to get you, as they say), there’s an “improved version of the GPG utilities, called gpg2.” Not all Linux distros include gpg2 — Linux Mint 17.3, for instance, does not — but for those that do, the process is the same as that for the gpgv utility.
You can also use the gpg –verify command in lieu of the gpgv utility above. This command goes a step beyond gpgv by verifying the validity of the signature itself. While this might seem like a good additional step (and sometimes can be), there is often no point of reference for the utility to pit against the validity of the signature. Running this can return warnings that indicate nothing about the validity of your ISO, and simply tell you that the signature has not been vouched for by your distro’s development team.
Where do I find my distro’s public key?
Some distros like Linux Mint include the key in their base distribution, while others do not. In this case, you’ll need to locate a trusted keyserver for your distro. ZDNet points to the Debian Public Key Server document, which includes information on how to the ISO verification process. Other distros have similar resources available that you can find once you do a bit of digging.
The bottom line
Other tests exist, such as Debian’s “secure apt” utility, but at a certain point you have to determine when you’re ready to trust the authenticity of your ISO file. By taking the time to run a test in the first place you’re already ahead of the game, and have escaped the realm of blind trust. And if the attack on Linux Mint showed us nothing else, it’s that blind trust can be dangerous.
Kennybee
New Member
HP 14” notebook. I install Manjaro Linux with complete SSD erase first. No matter what I change in BIOS, on start up, error:
Boot Device Not Found
Please install an operating system on your hard drive
Please advise how to fix.
MatsuShimizu
Well-Known Member
Hi,
What HP laptop model that you use?
Edit: Found similar questions on the Arch Linux forum, Manjaro is based on Arch.
[SOLVED] Can’t boot, “BootDevice Not Found” / Newbie Corner / Arch Linux Forums
[SOLVED] fresh install, can’t boot to GPT / Installation / Arch Linux Forums
Condobloke
Well-Known Member
G’day Kennybee, Welcome to Linux.org
How did you carry out the install . from usb stick or from dvd ?
How did you burn/attach Manjaro to the usb/dvd . did you use a particular app/program to do this with ?
Condobloke . Outback Australian :: LINUX IS THE ANSWER. LINUX MINT used EXCLUSIVELY here.
Translate?. DeepL is the answer!
“ If you don’t like Windows than don’t use Windows.
I don’t. Ever. Like a good woman, Linux satisfies my every need”
Live simply. Love generously. Care deeply. Speak kindly . Especially in C19 times.
It has been said that time heals all wounds. I don’t agree. The wounds remain. Time – the mind, protecting its sanity – covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy
The checksum is used to verify the correctness of a file. It can be described as a digital fingerprint of a file. By verifying the Checksum value we can determine the correctness of a file while it’s been transferred from one location to another. The checksum is a long string of data containing various letters and numerals. All popular software downloading websites provides a checksum value for the downloaded file with which we can confirm our data by verifying the checksum value.
Generating Checksums
A checksum is generated by a checksum algorithm. It generates a checksum value by taking the file as input. MD5 and SHA (Secure Hash Algorithms) are the most popular algorithms used for generating the checksums
Command-line Checksum tools
Almost all Linux distribution provides the command line tools for various checksum algorithms. You can generate and verify checksum with them. Some of the standard command-line checksum tools used nowadays are the followings:
MD5 checksum tool is called: md5sum
SHA-1 checksum tool is called: sha1sum
SHA-256 checksum tool is called: sha256sum
SHA-384 checksum tool is called: sha384sum
SHA-224 checksum tool is called: sha224sum
SHA-512 checksum tool is called: sha512sum
Examples:
Let’s see some of the examples on using these command line tools for generating the checksum values.
I’ve created one of test index file called index.html. Let’s generate the checksum value for this file using these above tools.
md5sum:
MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from a data input that is claimed to be as unique to that specific data as a fingerprint to a specific individual.You can see my test index file, I’ve generated the checksum value corresponding to this file using MD5 algorithm.
sha1sum:
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. Please see the sha1 hash value for the same file.
sha256sum/sha512sum/sha224sum/sha384sum:
SHA-2 is a family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32-bit words whereas SHA-512 uses 64-bit words. There are also truncated versions of each standard, known as SHA-224, SHA-384, SHA-512/224 and SHA-512/256. SHA-256 algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one-way function, which cannot be decrypted back. We can generate the hash value using this SHA-256 algorithm for the same file using the command below:
Verifying a file using Checksum
We’ve already learned various techniques for generating the checksum values. Now we can learn how to verify the correctness of a file using the checksum methods. Let’s download an ISO file from a website.
As you can see there will be a checksum value corresponding to any download file. Let’s download our ISO sample file and check its correctness by comparing the checksum value for the downloaded file and the md5sum value on the website.
You can confirm the correctness of your downloaded ISO by comparing the checksum value here. It appears to be same, which means you’ve downloaded the exact file. If you delete or change even one character from any one of the text files inside the iso image, the checksum algorithm will generate a totally different checksum value for that changed iso image. And that will definitely not match with the checksum provided on the download page.
Conclusion
You can make use of this Checksum method as a redundancy check to detect errors in data. Hence. ensure the integrity of data portions for data transmission or storage. I hope this article is useful for you. Please post your valuable comments and suggestions on this.
You just downloaded an ISO image of your favorite Linux distribution from the official site or a third party site, now what? Create bootable medium and start installing the OS? No, wait. Before start using it, It is highly recommended to verify that the downloaded ISO in your local system is the exact copy of the ISO present in the download mirrors. Because, Linux Mint’s website is hacked few years ago and the hackers made a modified Linux Mint ISO, with a backdoor in it. So, It is important to check the authenticity and integrity of your Linux ISO images. If you don’t know how to verify ISO images in Linux, this brief guide will help. Read on!
Verify ISO Images In Linux
We can verify ISO images using the Checksum values. Checksum is a sequence of letters and numbers used to check data for errors and verify the authenticity and integrity of the downloaded files. There are different types of checksums, such as SHA-0, SHA-1, SHA-2 (224, 256, 384, 512) and MD5. MD5 sums have been the most popular, but nowadays SHA-256 sums are mostly used by modern Linux distros.
We are going to use two tools namely “gpg” and “sha256” to verify authenticity and integrity of the ISO images.
Download checksums and signatures
For the purpose of this guide, I am going to use Ubuntu 18.04 LTS server ISO image. However, the steps given below should work on other Linux distributions as well.
Near the top of the Ubuntu download page, you will see a few extra files (checksums and signatures) as shown in the following picture.
Ubuntu 18.04 checksum and signature
Here, the SHA256SUMS file contains checksums for all the available images and the SHA256SUMS.gpg file is the GnuPG signature for that file. We use this signature file to verify the checksum file in subsequent steps.
Download the Ubuntu ISO images and these two files and put them all in a directory, for example ISO.
As you see in the above output, I have downloaded Ubuntu 18.04.2 LTS server image along with checksum and signature values.
Download valid signature key
Now, download the correct signature key using command:
Verify SHA-256 checksum
Next verify the checksum file using the signature with command:
If you see “Good signature” in the output,the checksum file is created by Ubuntu developer and signed by the owner of the key file.
Check the downloaded ISO file
Next, let us go ahead and check the downloaded ISO file matches the checksum. To do so, simply run:
If the checksum values are matched, you will see the “OK” message. Meaning – the downloaded file is legitimate and hasn’t altered or tampered.
If you don’t get any output or different than above output, the ISO file has been modified or incorrectly downloaded. You must re-download the file again from a good source.
Some Linux distributions have included the checksum value in the download page itself. For example, Pop!_os developers have provided the SHA-256 checksum values for all ISO images in the download page itself, so you can quickly verify the ISO images.
Pop os SHA256 sum value in download page
After downloading the the ISO image, verify it using command:
Pop os SHA256 sum value
Here, the random string starting with “680elaa. “ is the SHA-256 checksum value. Compare this value with the SHA-256 sum value provided on the downloads page. If both values are same, you’re good to go! The downloaded ISO file is legitimate and it hasn’t changed or modified from its original state.
This is how we can verify the authenticity and integrity of an ISO file in Linux. Whether you download ISOs from official or third-party sources, it is always recommended to do a quick verification before using them. Hope this was useful.
Welcome to the Linux Mint forums!
- Unanswered topics
- Active topics
- Search
ISO distribution verification
ISO distribution verification
Post by bushrat » Sun Dec 11, 2016 8:15 pm
Just purchased a new laptop, disgusted with installed Win 10, so this time I’m serious about using Linux.
I’ve used Linuxmint previously in dual boot mode with Win 7 and it worked just fine, I’m very impressed with all things Linux.
Anyway, this time around I decided to do everything right. by which I mean verifying the downloaded Linuxmint ISO.
Linux User Manual refers to ‘sha256sum’ to get the checksum, that’s easy enough – but what to do with that checksum is pretty confusing.
I’ve read the forum answers to the problem, and I’d guess that many Windows refugees looking to install Linux would get frustrated
having to use Gpg etc to verify the ISO and not bother. Too bad for them you might say and now I’ll come to why I’m posting any of this.
Has the Linux team ever considered implementing a utility where a newcomer can submit the checksum they derived from ‘sha256sum’
to the official Linux site and have that checksum verified by Linux instead of having to perform acrobatics through Gpg? it would make life
a lot easier for first timers to Linux. Not wishing to raise invidious comparisons with Windows but Windows allows you in a flash to authenticate
the Windows version you are using, so I was just wondering if the Linux people could implement a similar sort of scheme for ISO verification.
If I’ve got this all wrong I’m sure there are plenty who will straighten me out. LOL.
thanks for your time.
Part of using a Linux-based operating system is using the package manager of your Linux distribution to download and install new software. On CentOS/RHEL-based distributions for example, the EPEL repositories provide you with almost everything you need. And often when a pre-installed repository is unavailable, you can manually add it and the files will be downloaded securely after verifying it with a key.
However, sometimes you have no choice but to download the packages directly over the Internet. One example is the operating systems themselves. If you want to download a new distribution, you’ll have to get it from a website.
Table of Contents
Verifying File Integrity with Hashes
But how do we know that the files we download are indeed the file that the creator made? What if someone maliciously accessed the servers and placed their own file in there instead? We might end up downloading and then using a file that might be deeply compromised!
Sometimes files are distributed widely through 3rd party sites, such as SourceForge. We need a way to verify that the file we’re downloading hasn’t been tampered with and re-packaged. This is where hashes come in.
A “hash” is a special mathematical operation we perform on a file that generates a string of characters that is unique to that file. These are also referred to as “checksums”. While it is not perfectly unique, the chance of it repeating is low enough for it to be an acceptable form of security. A good hashing algorithm will ensure that even small variations in the input file will generate huge differences in the output hash. Thanks to this, is it practically impossible to tamper with a file in any way and have the hash be similar.
If the hashes of two files have been generated by a good algorithm, and they match, you can be next to certain that the two files are the same. Because of this, all good software providers also display their hashes next to the files they offer for download. Like this:
Now let’s see how to verify the hash.
Generating and Comparing Hashes
This website offers twp hashing algorithms – SHA256, and SHA512. SHA256 is good enough for our purposes. When you click on the “SHA256” link, you get this:
The 64 characters you see here make up the SHA256 hash for the file we want to download. To verify it, we first download the file itself via wget as shown here:
And then we use the following command in our terminal to generate the SHA256 hash:
Replace [filename] with the name of the file you just downloaded. It will generate a string of 64 characters, like this:
Now all we need to do is compare the string of characters it generates with the one provided by the website in the second screenshot.
To make it easier to read with some formatting, here’s a command to make everything uppercase and split the hash into groups of 8 characters:
And we get an output like this:
With this command, it is much easier to compare as opposed to a long string of 64 characters.
Other Checksum Algorithms
Different websites will have different hashing algorithms for you to compare. In the example above, we looked at SHA256. Here are the commands for the others:
SHA256 – sha256sum (used above)
SHA512 – sha512sum
MD5 – md5sum
If you need to calculate the hash for another algorithm, just replace “sha256sum” in the examples above with the command you need. Keep in mind, however, that the MD5 hash has been insecure for some time now. You can use something called a ‘salt’ to further improve the security of an SHA hash – however, it is not impossible to get past, so it is discouraged for protecting passwords and personal data.
If you are able to successfully compare the hashes of the downloaded file to the one that’s displayed on the website, you can be sure that the file you downloaded is the one that the creator intended for you to have.
Of course, you don’t have to check the file integrity of software you download if you have a Linux VPS with us. You can simply ask our support team to install whichever software you need onto your VPS for you. They are available 24/7 and will be able to help you with the installation.
PS . If you enjoyed reading this blog post on how to check the file integrity of downloaded packages in Linux, feel free to share it on social networks using the shortcuts below, or simply leave a comment in the comment section. Thanks.
One method of knowing if a downloaded program file is safe to install is to compare the file checksum (also called a hash) before running the executable.
Verifying the checksum of a file helps ensure the file was not corrupted during download, or modified by a malicious third-party before you downloaded it. If it was infected with malware or other malicious software after the checksum was originally calculated, you will discover the change when you calculate the new checksum.
The checksum is a long string of numbers that looks like this:
This hexadecimal number is unique to the installer .exe file created by the author. If anyone has altered or tampered with the file that you downloaded, the checksum will be different on your computer.
For maximum system security, always verify the checksum of any software you download from the Internet, before you run it.
- How to check the checksum of a file in Windows.
- How to view the checksum of a file in Linux.
How to check the checksum of a file in Windows
Many utilities can verify the checksum of a file in Windows. Below are our favorite options, the Checksum Calculator, an easy to use and compare checksum utility and the FCIV command line utility from Microsoft.
Checksum calculator
The Checksum Calculator is a free file checksum calculation utility that supports the most commonly used file checksum algorithms, such as md5, crc32, and sha1. The Checksum Calculator can also batch process multiple files and is an easy to understand and use Windows program.
Downloading and installing the checksum calculator
- Download the Checksum Calculator.
- Run the executable, checksumcalculator_setup.exe.
- Follow the prompts to install the program.
Using the calculator
- Open the Checksum Calculator if not already opened after the install.
- Click the Browse next to the file box and browse to the file you want to check. In our example, we are checking the checksum of the windirstat1_1_2_setup.exe file.
- Select the type of Checksum you are calculating. By default, the Checksum is set to MD5, in our example below we’ve set the value to SHA1.
- Click the Calculate button.
- After clicking Calculate, a result is shown in the Result box. To compare the values with what’s shown on the web page or documentation, copy and paste the checksum into the Compare box and click Verify. If both values match, you’ll see a message box indicating that the values are the same.
Using the Microsoft FCIV utility
Unfortunately, no version of Microsoft Windows comes pre-installed with a checksum utility, but Microsoft has released a command line command perform a checksum. In our example, we’ll be downloading, installing, and using the Microsoft FCIV (File Checksum Integrity Verifier) to check the WinDirStat installer file. WinDirStat is a great free utility for checking what files and folders are occupying space on your hard drive.
Downloading and installing Microsoft FCIV
- Download FCIV from Microsoft.
- Run the executable, Windows-KB841290-x86-ENU.exe.
- Click Yes to accept the license agreement.
- The installer asks where you would like to extract the files. It’s convenient to have it in the same place as the WinDirStat installer, so we recommend you extract it to your Downloads folder. Click Browse, highlight Downloads, and click OK.
- Click OK to extract the files.
- Click OK to close the installer.
If you copy the fciv.exe file into your C:\Windows directory, the command works from any directory or drive in the command prompt.
Using FCIV
- FCIV is a command-line utility, so you need to run it from the Windows command prompt. Open a new command prompt window now. In Windows 10, you can find it under Start menu → Windows System → Command Prompt. You can also open it from the Run box if you press Win+R (hold down the Windows key on your keyboard and press R), type cmd, and press Enter .
- Change to your Downloads directory or the directory containing fciv and the file you want to compare. At the command prompt, run:
- The checksums provided on the WinDirStat use the SHA1 algorithm, so we need to use the -sha1 option when we run FCIV. For example, to verify windirstat1_1_2_setup.exe, use this command:
FCIV will spend a few moments calculating, and then provide output like this:
The checksum is the long hexadecimal number on the last line:
That hexadecimal number is the SHA1 checksum for your file. Check to make sure it matches the checksum on the WinDirStat website:
- See our fciv command page for further information about this command and its syntax and options.
How to check the checksum of a file in Linux
In Linux, the checksum of a file can be checked using one of the following command line commands depending on the checksum the author used for comparison.
- The MD5 checksum is verified using the md5sum command.
- An SHA224 checksum is checked using the sha224sum command.
- An SHA256 checksum is shown using the sha256sum command.
- An SHA384 checksum is shown using the sha384sum command.
- An SHA512 checksum is verified using the sha512sum command.
Welcome to the Linux Mint forums!
- Unanswered topics
- Active topics
- Search
New to Linux, Help a Lady Out? (solved)
New to Linux, Help a Lady Out? (solved)
Post by Falling_Stars » Sun Dec 02, 2018 1:26 pm
Good morning, everyone!
I am a new (female) Linux user, quite honestly hoping to ditch Microsoft and Windows altogether. I have a Windows 7 Home Premium system, 64 bit, 4GB of RAM, on an Asus Ntebook K52JU/K52JT series with an intel core i5 cpu M 480 @ 2.67Ghz
Anyway, I am excited to learn new things and especially happy that I have saved myself an untold hundreds or even thousands of dollars by ditching Windows since each new iteration of Windows causes all sorts of havoc with each new upgrade which then means spending all sorts of money, or possibly needing to buy a new system due to manufacturers putting out computers that are almost never compatible with new versions of Windows. Screw that noise!
Once my download to the DVD is done, I know I need to verify it. Do I just follow the same steps as with hard drive install verification? Your input for this new user is much appreciated!
Re: New to Linux, Help a Lady Out?
Post by majpooper » Sun Dec 02, 2018 2:18 pm
Here is the link to how to verify your Mint download
Just a couple of tips – you will get plenty here.
1.) Take a test drive of the OS from the live DVD (or USB) make sure everything works and you can do all things that you want to do. It won’t be quite as snappy as running the OS on your HD but close enough to get a feel for everything. If you run into any issues or have questions come here – most things can be worked out.
2.) One of the more knowledgeable and experienced members of this forum, Pjotr, has a great website ” Easy Linux tips for beginners and for advanced users” which IMHO is a must. I have installed Mint dozens of times for myself, family and friends and after every fresh install the first thing I do is go to this website and apply the tweaks – they just make Mint run better i.e. faster and saver.
Re: New to Linux, Help a Lady Out?
Post by Moem » Sun Dec 02, 2018 2:55 pm
Hello and welcome! I hope this is helpful:
You don’t download to the DVD. You download an .iso, verify it, then use suitable software (such as Rufus, Etcher. ) to burn the .iso to the DVD as an image, making it bootable.
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Re: New to Linux, Help a Lady Out?
Post by phd21 » Sun Dec 02, 2018 3:09 pm
Welcome to the wonderful world of Linux Mint and its excellent forum!
I just read your post and the good replies to it. Here are my thoughts on this as well.
FYI: The Linux Mint downloads are verified frequently now and are safe to use.
You might want to make sure the “checksum” values match to make sure nothing went wrong while downloading the Linux Mint .iso disc image file. If you use the “torrent” download link option and your torrent software has the “check file” option enabled, then the checksum is verified automatically. There are other options for checking downloaded file checksum values in MS Windows, Mac, and Linux. Linux Mint uses a sha256 byte checksum.
You can use whatever DVD software you have installed to burn the “Linux Mint” iso file to a DVD (the free Ashampoo Burning software works great in MS Windows), or burn (write) the iso file to a USB stick (2gb or more) using “rufus”, “unetbootin”, “etcher”, etc.
The “PeaZip” archiving application includes the ability to compare and verify checksum values in addition to being an excellent archiving application (MS Windows and Linux).
A checksum is a string of text derived from the software using a hash function. No two checksum should be the same. When downloading software from the Internet, one way to verify its integrity is to compare its checksum with the one provided by the website. If they tally, then the software is genuine and has not been tampered with. Here we will show you how to check and verify checksums in Linux.
While this can be easily done in the terminal, you will learn here how you can check and verify checksums with a graphical tool: the ultra-simple GtkHash.
Installation
For most Linux distributions, you can find GtkHash in the package manager or Software Center. If you are on Ubuntu or a compatible distribution and installing from the terminal, you can install GtkHash with:
For openSUSE, you will have to add its repository before installing it. Look for more information here.
On Arch and Manjaro:
After it’s installed, find it among the rest of your installed applications and run it.
Create Hashes
GtkHash’s interface is pretty straightforward. To calculate hashes for one or more files, click on the friendly “Add” button on the top left.
Point the requester to the location of your files and select them. You can select multiple files by holding down the Ctrl key while clicking on them. Then, click on the “Open” button on the top right to complete the command.
GtkHash’s list will be populated by the files you selected. If you wish, you can add more files by repeating the previous step.
Click on the “Hash” button on the bottom right of GtkHash’s window to calculate the hashes for all the files in the list.
GtkHash calculates multiple hash types by default and will present them in columns next to each file.
To copy a file’s hash to the clipboard, right-click on the file and select your preferred hash type from the “Copy Digest” submenu. Then, paste the copied hash somewhere for future reference.
Alternatively, you can save the hash to a file through “File -> Save As.”
Check Hashes
To check a file’s data integrity with GtkHash, select “File -> Open” an choose the hash file that accompanied your main file. The hash file will usually have a “sha1,” “md5,” or “sfv” extension, and GtkHash supports all the popular ones.
When the file is loaded, click on the “Hash” button on the bottom right. GtkHash will calculate and compare the file’s hash with the reported one and present you with the results. As you can see in our screenshot, we had two matches and two failures.
More Hashes
GtkHash comes with the most popular hashing algorithms enabled, but they’re not the only ones it supports. For more, visit “Edit -> Preferences.”
You can choose from over two dozen different hash functions, among which you will probably find the one you prefer.
Comparing Checksum from the Terminal
If you are in a server environment, the only way to compare a checksum is via the terminal. Luckily, checking and creating file hashes on a terminal is just as easy as using a GUI. Most distributions come with a set of tools for the job. Some of the most popular ones are:
- md5sum
- shasum
- sha256sum
- sha384sum
- sha512sum
Their use is simple since they work in precisely the same way: you type their name, then the name of the file for which you want to calculate a hash. For example, to calculate the SHA-512 hash for an Arch Linux installation ISO we’ve downloaded, we used:
In the above, sha512sum was the command for the hash algorithm we’ve decided to use. After some waiting, we saw the SHA-512 hash on our screen.
In the future we may want to re-check our file, so we decided to output the results to a file instead of our screen. The hash commands don’t offer such functionality since it’s only a redirect away in Linux. By using a > symbol after the command and a filename, the output of the command is saved in the file instead of being printed on-screen. You can also use sha256sum :
This will output the results to a typical text file that you can check out. In it, you’ll find the file’s hash followed by its filename.
Checking a file against its hash only requires you to add a -c switch to the command and to use the hash file instead of the actual file. In other words, something like this:
While it is easy to verify checksums in Linux, it’s not realistic to check hashes for every single file. It’s something you should do for those sensitive data or the Linux ISO you downloaded from the Web. If you are using Mac, the same method applies.
Related:
OK’s real life started at around 10, when he got his first computer – a Commodore 128. Since then, he’s been melting keycaps by typing 24/7, trying to spread The Word Of Tech to anyone interested enough to listen. Or, rather, read.
- Tweet
One comment
Odysseas Kourafalos question for you. Could this hash tool or something similar be used to secure the integrity of a video ?
Comments are closed.
Affiliate Disclosure: Make Tech Easier may earn commission on products purchased through our links, which supports the work we do for our readers.
