View Full Version : How to verify the download?

7th December 2009, 01:32 PM

I'm having trouble understanding how to verify the download of the Fedora iso-files. I would appreciate to know how to do this on a Windows system. Thanks.

I have been looking in the help section for checking the iso-files, but I'm not sure where to find the right hashes, like MD5, SHA1, and etc.


7th December 2009, 01:40 PM
You google for the windows version that you need.
Download it.
Copy and paste it to the dir that you have your iso files.
run it, i.g. sha256sum.exe mydownloaded.iso
It will return an value, compare that to the value from the download site.

Fedora 12 needs sha256sum.exe


8th December 2009, 07:43 AM
Okay, thanks. But if I've not missed some links or info on these sites, the download pages don't provide any hashes. Though, the verify page (https://fedoraproject.org/en/verify) does, but this page also states:

"Please note that the Hash: SHA1 line in the CHECKSUM file is part of the PGP signature. It does not specify the type of hash used to verify the .iso files."
And you say that it uses SHA256.

Is it a PGP-signature, SHA1 hash, SHA256 hash, or what?
And on the site for windows users (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html), there isn't any hashes nor any links to hashes.

This is so confusing, lol. I've just been on the openSUSE site, and they seem to have succeeded in making this way more better. They also provide several hashes; like me who uses MD5.

8th December 2009, 12:04 PM
Is it a PGP-signature, SHA1 hash, SHA256 hash, or what?
It's a PGP/GPG-signed SHA256 hash. Use sha256sum to check the .iso file and optionally use PGP or GPG to check the signature of the hash.

And on the site for windows users (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html), there isn't any hashes nor any links to hashes.
Links to hashes are on the Verify your ISO download (https://fedoraproject.org/en/verify) page, linked from the Get Fedora (http://fedoraproject.org/en/get-fedora.html) page. If you use Bittorrent to download the .iso files, the checsum file is downloaded automatically to the same directory as the .iso.

8th December 2009, 12:28 PM
I believe the pgp sig is actually SHA1, which is what the hash SHA1 refers to on the pages. There's an article on verifying hash and download.


In practice, I think most people just get the ISO and want to verify that. The sums listed for the iso's are sha256.

8th December 2009, 03:01 PM
The test on the installer is still sha1 because it was to late for the release eng to change it without breaking the rules he was trying to enforce. But if the iso checks out good with th sha256sum then skipping the installer's check is not critical.


8th December 2009, 04:01 PM
The following is from my howto file for verifying a burned cd/dvd iso:

For the new cd.
readcd dev=/dev/hdc sectors=0-`isosize -d 2048 /dev/hdc` retries=0 f=- | md5sum

For the iso--
md5sum <cd_image.iso>

Compare the check-sums.

The programs readcd and isosize have always been automatically installed. THIS ONLY WORKS FROM THE LINUX SIDE!