Connect and share knowledge within a single location that is structured and easy to search. Maybe I have been negligent towards the verification of software I download over the Internet, but I or anybody I ever met have never tried to verify the checksum of the contents I download. And because of this, I have no idea about how to verify the integrity of the downloaded item. Usually this would start on the owners side displaying the checksum for the file that you wish to download.
Which would look something like the following:. Now depending on what operating system you are using, once you have downloaded the required file you can compute a hash of it. First navigate to the directory of the file you downloaded, than:.
The issue that comes with checking a hash from a website is that it doesn't determine that the file is safe to download, just that what you have downloaded is the correct file, byte for byte. If the website has been compromised then you could be shown the hash for a different file, which in turn could be malicious.
A checksum simply verifies with a high degree of confidence that there was no corruption causing a copied file to differ from the original for varying definitions of "high". In general a checksum provides no guarantee that intentional modifications weren't made, and in many cases it is trivial to change the file while still having the same checksum.
Cryptographic hashes provide additional properties over simple checksums all cryptographic hashes can be used as checksums, but not all checksums are cryptographic hashes.
Cryptographic hashes that aren't broken or weak provide collision and preimage resistance. Collision resistance means that it isn't feasible to create two files that have the same hash, and preimage resistance means that it isn't feasible to create a file with the same hash as a specific target file. MD5 and SHA1 are both broken in regard to collisions, but are safe against preimage attacks due to the birthday paradox collisions are much easier to generate.
SHA is commonly used today, and is safe against both. If you plan to use a hash to verify a file, you must obtain the hash from a separate trusted source. Retrieving the hash from the same site you're downloading the files from doesn't guarantee anything. If an attacker is able to modify files on that site or intercept and modify your connection, they can simply substitute the files for malicious versions and change the hashes to match.
Using a hash that isn't collision resistant may be problematic if your adversary can modify the legitimate file for example, contributing a seemingly innocent bug fix. They may be able to create an innocent change in the original that causes it to have the same hash as a malicious file, which they could then send you.
The best example of where it makes sense to verify a hash is when retrieving the hash from the software's trusted website using HTTPS of course , and using it to verify files downloaded from an untrusted mirror. On Linux you can use the md5sum , sha1sum , shasum , etc utilities. Connor J's answer gives examples for Windows. Unlike checksums or hashes, a signature involves a secret.
This is important, because while the hash for a file can be calculated by anyone, a signature can only be calculated by someone who has the secret. Signatures use asymmetric cryptography, so there is a public key and a private key. A signature created with the private key can be verified by the public key, but the public key can't be used to create signatures.
This way if I sign something with my key, you can know for sure it was me. Of course, now the problem is how to make sure you use the right public key to verify the signature.
Key distribution is a difficult problem, and in some cases you're right back where you were with hashes, you still have to get it from a separate trusted source.
But as this answer explains, you may not even need to worry about it. SHA creates the digest or hash value of the file, and once the file is tampered with or modified, the original SHA digest value is changed. There are tools available in each Linux distribution for different checksum algorithms. We can verify and generate the checksum using these tools.
Some command-line checksums are as follows. Apart from all this, shasum, shasum, etc. Checksum files are available for download from most distributions with ISO files. Once the checksum is downloaded, we can generate the checksum with the help of the below-mentioned command. We received OK in the output, which means that the file downloaded is not corrupted and tampered with. As a result, we can see that no files have been tampered with or modified during the download.
We have to download the file back; otherwise, we cannot download the respective distribution. With the help of GtkHash, we can use a graphical method to verify the checksum. Although I use the example of an ISO image, any file can be verified, as long as there are a checksum and a digital signature available. For instance, that is the case of the files available for download on the VeraCrypt software website.
The process may differ a bit according to the distribution, but it usually follows that general pattern. For example, there are several different checksum algorithms. The MD5 algorithm has been the most popular, but has been replaced by the SHA algorithm, which is theoretically more resistant to attacks. Terminal is an application that receives text-based commands.
It is different from most applications, which you control using the mouse and clicking on buttons and menus. To start Terminal, open the Activities overview , clicking Activities , on the top-left corner of the screen, or pressing the Super key on some keyboards, it shows the Windows logo.
Type terminal and click its icon:. Terminal is launched. To execute a command also said as run a command , you need to type it and press Enter. If Terminal is being used by the administrator also known as superuser or root user , it shows the hash character. An example of another post :.
When you finish downloading, there should be two files in your Downloads folder:. Tip: you can copy from and paste to the Terminal. When running that command, terminal shows the following text, which is the output or return of that command:.
Shortly, gpg informs that it has created some configuration files, because it has been executed for the first time, and imported the openSUSE key. Compare the fingerprint returned by gpg with the one present on the openSUSE website:. The first line means checksums match. So, from the integrity point of view, it is safe to use the downloaded ISO image. You can proceed to the authenticity verification.
If there is difference between the computed and the expected checksums, the command output is different. If that is the case, it is not safe to use the downloaded ISO image: it is broken and should be downloaded again. The second line warns about some lines of the checksum file that shasum does not understand. Just for the sake of curiosity, if you want to see those lines, you can open the checksum file using the terminal itself, since it is a text file:.
The cat command shows the contents of a text file.
0コメント