SHA256 checksum

[linn]

Ok... I have no idea how to do this can someone explain step by step to verify that I have a good download of Linux?

also if I don't verify that my Linux download isn't corrupt will there be issues that will hinder Linux from working therefore I no that SHA256 checksum wasn't downloaded?

[jimallyn]

There are several tutorials available for this. This one was written by forums member Fred Barclay:

https://fred-barclay.github.io/VerifyLinuxMint/

Here's the official instructions from Mint developers:

https://linuxmint.com/verify.php

Fred Barclay, who wrote the first tutorial I linked to, says this one from phd 21 is better than his own:

viewtopic.php?f=42&t=226092&p=1192608#p1192608


Difficult to say what will happen if you have a corrupt download. It might fail to install, or it might install and then have difficult, hard to find, troubles show up later.

[Fred Barclay]

There are several tutorials available for this. This one was written by forums member Fred Barclay:

https://fred-barclay.github.io/VerifyLinuxMint/

Here's the official instructions from Mint developers:

https://linuxmint.com/verify.php

Fred Barclay, who wrote the first tutorial I linked to, says this one from phd 21 is better than his own:

viewtopic.php?f=42&t=226092&p=1192608#p1192608

Yup, phd21's is so much more in depth than mine.
We had a bit different goals. His tutorial is a veritable encyclopedia of great information, as is phd21 himself. I just wanted to write something simple that hopefully wouldn't be overwhelming for newbies... or even the most experienced of us. He suceeded. I'm not sure I did.

Actually, by now the instructions on the Mint page have greatly improved since I wrote my page (sorry, not knocking Clem or whoever had written the earlier version).

But getting back to the OP:
Hopefully, one of the three guides above can help you. If you've read 'em and can't make heads or tails, or get stuck, definitely let us know and someone will help you.

[phd21]

Hi "linn",

Welcome to the wonderful world of Linux Mint and its excellent forum !

Are you still on MS Windows, or using Linux Mint? Which versions?

The Linux Mint download files are being checked frequently nowadays, so you can be pretty secure that they are safe to use. It is still a good idea to check the downloaded file though. If the file was corrupted, it probably would not boot up or work.

If you get stuck doing something, then just ask here and someone will help you out.

To "Fred Barclay", Thank you my friend ...

And I agree that the instructions on the Linux Mint website have improved, since we wrote our posts ...

[Mr_Reed]

I took the time to download 2 LM ISO; Cinnamon 32bit and XFCE 32bit. I'm on a Windows machine trying to move from that to using LM, but I can't get the ISO authenticated and verified. Apparently they're hacked or modified by unknown sources. Surely 2 different LM ISO aren't bad? What would be the odds of that?

I'm on a metered connection, so downloading over and over again isn't possible. I'm trying to use Hash Tool to check the numbers, but I don't see a match. Am I doing something wrong, or can someone show me a way to verify these on Windows?

[rene]

Surely 2 different LM ISO aren't bad? What would be the odds of that?

If you were to be experiencing hardware issues (network, storage, memory, cpu, ...) then in fact pretty big. Those images contain significant number of bits, the toggling of any single one of which would cause a checksum error. This is however just to say that IF you are moving yourself off of Windows due to inexplicable crashes or corruptions you may need to scale things, but that indeed I'd expect that you are simply not checking correctly.

You are downloading 32-bit versions which might indicate that you are upgrading from Vista or even XP but Windows 7 (and later, supposedly) has available a built in checksum utility in CertUtil. For example, from a command prompt,

Code: Select all

CertUtil -hashfile C:\Users\Foo\Downloads\linuxmint-18.1-xfce-32bit.iso SHA256

This would print out the SHA256 hash in byte-sized chunks; compare with the hash for linuxmint-18.1-xfce-32bit.iso as provided by for example https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt. Just now verified this to work fine on a Windows 7 Starter system. CertUtil is I believe part of the browser and you may as such have it installed on Vista or XP as well.

I didn't install "Hash Tool" (this one? https://www.digitalvolcano.co.uk/hash.html) so as to avoid having to first check for spy- or other forms of malware but be sure to choose the SHA256 hash if you use that.

[killer de bug]

Surely 2 different LM ISO aren't bad? What would be the odds of that?

Either your downloads are bad. Or the way you check the iso is not good. Could you please post more details about what you did and the result you got?

[Portreve]

also if I don't verify that my Linux download isn't corrupt will there be issues that will hinder Linux from working therefore I no that SHA256 checksum wasn't downloaded?

These days, there's more at stake than just the normal integrity of the disk image. You also have deliberate attempts at sabotage (for purposes of spying, injecting malware, etc.) and I would think checking SHA sums is now more important than ever.

[Mr_Reed]

If you were to be experiencing hardware issues (network, storage, memory, cpu, ...) then in fact pretty big. Those images contain significant number of bits, the toggling of any single one of which would cause a checksum error. This is however just to say that IF you are moving yourself off of Windows due to inexplicable crashes or corruptions you may need to scale things, but that indeed I'd expect that you are simply not checking correctly.

You are downloading 32-bit versions which might indicate that you are upgrading from Vista or even XP but Windows 7 (and later, supposedly) has available a built in checksum utility in CertUtil. For example, from a command prompt,

Code: Select all

CertUtil -hashfile C:\Users\Foo\Downloads\linuxmint-18.1-xfce-32bit.iso SHA256

This would print out the SHA256 hash in byte-sized chunks; compare with the hash for linuxmint-18.1-xfce-32bit.iso as provided by for example https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt. Just now verified this to work fine on a Windows 7 Starter system. CertUtil is I believe part of the browser and you may as such have it installed on Vista or XP as well.

I didn't install "Hash Tool" (this one? https://www.digitalvolcano.co.uk/hash.html) so as to avoid having to first check for spy- or other forms of malware but be sure to choose the SHA256 hash if you use that.

You are correct I'm doing this on Vista. I ran the CertUtil, and it gives an error of "too many arguments"
Yes I used the Hash Tool from digital volcano. I assume it's clean, as it's been on my computer for awhile now. I don't suspect anything. And I can match the sha256, but I'm not sure this is really verifying or authenticating as I'm assuming someone could changs these numbers

[austin.texas]

This might help.
How to verify a Linux Mint 18 ISO image on Windows

[Mr_Reed]

Surely 2 different LM ISO aren't bad? What would be the odds of that?

Either your downloads are bad. Or the way you check the iso is not good. Could you please post more details about what you did and the result you got?

For one thing, I don't know how to properly use the two files on the LM verify page. One is sha256.txt, and the other is something else.

[rene]

You are correct I'm doing this on Vista. I ran the CertUtil, and it gives an error of "too many arguments"

Google confirms that the Vista edition of CertUtil only supports SHA1. Very helpful indeed. In any case:

And I can match the sha256, but I'm not sure this is really verifying or authenticating as I'm assuming someone could changs these numbers

What you are doing when comparing the SHA256 hash is verification: verifying that the iso that you have on your system matches the one that is on the server from which you downloaded both it and the sha256sum.txt file; that there were no errors introduced during download.

If you moreover trust that server enough to assume that the iso and sha256sum.txt on it are legit, as by and large you can if you picked an official mirror, you could consider your downloaded iso authenticated at that point. Further steps are guarding against one-in-a-million situations and you should feel free to use your own judgement as to what level of vigilance you consider to still fall within bounds of sanity -- and especially since actual GPG-based authentication is a bit of a disaster on Windows. But if you insist: see the link that austin.texas just provided.

I'd advise to stop worrying and install it already though...

[killer de bug]

For one thing, I don't know how to properly use the two files on the LM verify page. One is sha256.txt, and the other is something else.

You need to compare the result from the sha256 check with the content of sha256.txt. Be careful not to compare it with a sha1 process.

[Mr_Reed]

For one thing, I don't know how to properly use the two files on the LM verify page. One is sha256.txt, and the other is something else.

You need to compare the result from the sha256 check with the content of sha256.txt. Be careful not to compare it with a sha1 process.

How do I do the sha256 check when I am on Microsoft Windows Vista?

[Mr_Reed]

Google confirms that the Vista edition of CertUtil only supports SHA1. Very helpful indeed. In any case:

What you are doing when comparing the SHA256 hash is verification: verifying that the iso that you have on your system matches the one that is on the server from which you downloaded both it and the sha256sum.txt file; that there were no errors introduced during download.

If you moreover trust that server enough to assume that the iso and sha256sum.txt on it are legit, as by and large you can if you picked an official mirror, you could consider your downloaded iso authenticated at that point. Further steps are guarding against one-in-a-million situations and you should feel free to use your own judgement as to what level of vigilance you consider to still fall within bounds of sanity -- and especially since actual GPG-based authentication is a bit of a disaster on Windows. But if you insist: see the link that austin.texas just provided.

I'd advise to stop worrying and install it already though...

So is verify and authenticate the same here? Anybody familiar with Hash Tool from digital volcano?

[killer de bug]

How do I do the sha256 check when I am on Microsoft Windows Vista?

I found this using google: https://bhoover.com/how-to-verify-checksum-windows/

[Faust]

How do I do the sha256 check when I am on Microsoft Windows Vista?

I found this using google: https://bhoover.com/how-to-verify-checksum-windows/

This tool from Raymond always served me well in Windows .
https://raylin.wordpress.com/downloads/ ... m-utility/

[Mr_Reed]

Would the sha256 numbers for LM 32bit xfce and 32 cin be allowed to be posted here, or does that defeat the security of the whole deal? I notice some places appear to just post the numbers

[killer de bug]

You can for sure post them here. And then we will tell you if these are the right signatures.
The more you spread them, the more you increase the security. If someone try to hack the signature.txt files on the server, some users will realize it doesn't match with the blog post or with the forum posts anymore.