View Full Version : problem with the hash matching

9th May 2010, 05:05 AM
i've heard alot of good things about fedora. it's hard not to notice that it's one of the most popular distros around. i'd sure like to see why so many people like it.
i tried to download an iso for fedora 12 and get the hash to match and they wouldn't (the hash was a little difficult to find as well). i went to fedoraproject and the hash wasn't available with the iso. i'm kinda new to this procedure, but i've been able to make it work a few times for other distros.
i'm sure you guys here know exactly which iso and hash to use and could point me in the right direction. i just want the regular desktop version for 32 bit.
there's probably something i am doing wrong. it would be good to have someone say "hey, you have to do this instead of this".

9th May 2010, 07:51 AM
Here's the official download site. If you click on "Download Now!", it downloads the default desktop edition (Gnome) liveCD. If you click on the link "Verify your download"


and then on the link for Live Media i386


it will open the checksum for your download. Hope this was clear enough.

9th May 2010, 11:15 AM
The SHA1 SUM in big letters is for the gpg signing. The hashes are actually sha256. Run sha256sum against the download, not sha1sum.

This is fixed, by the way, in F13, there is a message that the checksums for the isos are sha256.

9th May 2010, 05:04 PM
I also just discovered a nice gui app called gtkHash that will calculate different varieties of hash against a downloaded iso for you. I downloaded the F13 live cd and looked at the -checksum but forgot the syntax to calculate the various hash types, and kept getting 'command not found'.

Then I found this package, very helpful.

9th May 2010, 06:01 PM

i was going through the process of verifying the download.
the instructions that say:
"Next, import Fedora's GPG key(s):"
i entered the code into the terminal, see the attached screenshot.

9th May 2010, 07:31 PM

"The SHA1 SUM in big letters is for the gpg signing"
i don't know what this means. what is gpg signing?

"The hashes are actually sha256. Run sha256sum against the download, not sha1sum. "
this is new territory for me, but i did try it. see the attached screenshot.


i know about, and have used gtkhash. that program doesn't help here. i wish it did (if it does, show me how).

iso's are easy enough to get. verifying them is hard.
thanks to all who replied.

9th May 2010, 08:33 PM
The GPG signing is the signature for the hashes. That is, there is a signature to verify that the hashes were legitimately uploaded. Unfortunately, the way the page is laid out, it looks as if you want to check sha1sum rather than sha256sum. Folks like stoat, who work with these a lot, feel it's easy to recognize by the length of the checksum that it's sha256, and not sha1, but folks like myself disagree and simply wonder why out of the 300 plus distros around, Fedora was the only one unable to get it right.

Regardless, it has been fixed.

Now, as for the attached thumbnail, it looks as if you weren't in the same directory as the iso. (By the way, the command doesn't require sudo, as long as you have permissions in the directory to which you downloaded the iso, you can run <whatever>sum on a file in it.

However, let's make sure you have sha256sum

which sha256sum

should return /usr/bin/sha256sum

If, instead, it says something about no sha256sum in <list of directories> then something's wrong, as it should be in the base installation.

Otherwise, just make sure that you are in the same directory as the iso and that you have its name right. (Actually, you should just be able to run sha256sum Fedora- and hit the tab key and should get a result.)

9th May 2010, 09:43 PM

"The GPG signing is the signature for the hashes. That is, there is a signature to verify that the hashes were legitimately uploaded"
if the signature is a fraud, the hashes could be frauds, and the iso could be a fraud/corrupted, and a hacker can live in your computer after you install the os.

"However, let's make sure you have sha256sum

which sha256sum

should return /usr/bin/sha256sum"
yep, i have it. see the screenshot.

9th May 2010, 09:57 PM

i just wanted to also prove to you that i was in the right directory for the sha256sum.
see the screenshot.
this should be working. i am just not good at the terminal.

9th May 2010, 09:58 PM
On the page where you downloaded the iso, there should be another file similar to this:

Fedora-13-i686-Live-CHECKSUM 07-May-2010 21:58 90
Fedora-13-i686-Live.iso 07-May-2010 21:54 676M
When you click on the link for the CHECKSUM (or it may be called something slightly different), you'll see something that looks like this:
59cc9fd9144aba9dfb0189d8ef48842e65fdcf85efd7339b8f aa1201e9a6787f Fedora-13-i686-Live.iso
Which is exactly what I was looking at last night. I didn't know if it was a sha256 sum or an md5 or what, so that's why gtkHash came in handy. It turns out it's a 256sum.

So what you want to do while in a terminal window is type something similar to:
sha256sum Fedora-13-i686-Live.iso (similar because you'll have a different file name), and when I typed Fed I then hit tab to auto-complete because it was the only Fedora iso in there. You will then get output similar to:
59cc9fd9144aba9dfb0189d8ef48842e65fdcf85efd7339b8f aa1201e9a6787f Fedora-13-i686-Live.iso Since the sum I got from the downloaded iso matches the sum that was on the checksum given on the download page, I know that my download is good and I can happily burn the image to CD. Also, one thing I read somewhere advises that on the sum output, you don't have to go cross-eyed to make sure each digit in the long string is exactly the same. Just look at the first 4 or 5 digits and then the last 4 or 5 digits to make sure they match. IF there's a problem with the download, those will not match.

9th May 2010, 11:15 PM
Is the iso downloaded to desktop? If you used firefox, it would probably be in something like Desktop/Downloads

First, find out exactly where you have the iso.

ls Desktop

If there's no is there, that's why the command isn't working. In the second screenshot you showed, you didn't type the correct name. What I was saying was that if you're in the directory containing the iso, and type Fedora- or even just Fedora, and then hit the tab key, it should complete the name.

For example, I cd to the directory where I have a Fedora iso

cd iso

(iso is the name of the directory)

sha256sum Fed<hit tab key>
and now the command shows as

sha256sum Fedora-13-Alpha-i386-netinst.iso

The tab key will autocomplete the file name.

If it doesn't, that is, if, in a different directory, I type

sha256sum Fedo <hit tab key> I get nothing.

So, first make sure you're in the same directory.


If you don't see the Fedora iso, then find out where you downloaded it. As I said, it's often in a directory called Downloads or downloads.

10th May 2010, 02:40 AM

i agree with just about every thing that you say, except, i choose to take the time to check every digit of the hash. i just want to be certain.
even though a newbie, i can just about tell the difference between a md5, sha1, and a sha256 by how long it is.


i took another screenshot, double checked /usr/bin/sha256sum, checked the downloads folder, it was empty, and that the iso is definitely on the desktop. yes, i understand what you were getting at by typing fedora and pressing tab invokes the autocomplete. the rest of the file name will be added automatically by the computer.
here in the screenshot you can see the file on the desktop and the commands i used. i know i can get this to work, but i am just doing something wrong, but i don't know what. i usually try to avoid the terminal because everything needs to be perfect for it to work.

to both,
i was able to verify that my download was indeed pure, but i did it on windows. i transferred the iso via a flash drive and used a program called "hashcalc". it can be obtained from cnet, so it is without malware. i also successfully burnt the iso to disk. i have yet to try it, because i really want to learn how to do this task first. it's important to me that i know how to get the hash with the terminal.
i have a few more ideas that i need to try. i haven't quit yet.
thanks for the replies.

10th May 2010, 02:53 AM
but i still don't know why. here's a screenshot of the successful command.
i've looked it over, and i can't see any difference. i have to look better. maybe you guys will see right away, some subtle difference that would matter.
thanks again.

10th May 2010, 02:57 AM
Hrrm, it still looks as if you're not in the same directory.

Please do the following

cd Desktop

ls |grep Fedora > fedora.txt

cat fedora.txt

Assuming the Fedora isoIf it comes back with Fedora-12.i686.iso (or whatever it was, I've closed the screenshot), please try again, without sudo. That shouldn't make a difference, but the command output that you're showing indicates that it can't find the iso file.

---------- Post added at 09:57 PM CDT ---------- Previous post was at 09:54 PM CDT ----------

Oopps, you posted while I was typing. Glad you solved the mystery. :)

Sometimes, it's some typo that we miss, or accidentally put a space before or after the command, or some other oddity.

10th May 2010, 03:16 AM

i found the fault.
between "i686" and "Live" needs to be a dash/hyphen "-".
i mistakenly had a period/dot "."

i promise to get it right from now on, lol.

thanks for all your help. now i can try out fedora. hope it works for me.:)

10th May 2010, 05:42 AM
Even the most experienced make typos--and then spend 20 minutes looking at it before realizing what it was.

10th May 2010, 09:12 PM

if i still have you with me, i see where the potential for a problem may always lie. it's the fact that these long file names are begging for a mistake to be taken (and in all fairness, this file name was not really that long). i actually tried copy and pasting the name, but i happened to be using an OS that wouldn't allow it. hence the mistake by typo, then when i used the autocomplete feature suggested by you and CiaW, the autocomplete put into the terminal the correct file name.
would you happen to know about any foolproof way to copy and paste the files name. Let's just assume that the file is on the desktop (since it was, and probably always will be, that makes it simple). I tried right-clicking on the file and stealing the name out of the properties window. sometimes it's possible, but not always. even copying the name out of the terminal would be ok too. i know shift + insert can put text into the terminal, but copying i don't know how to do.
also that was awesome how you showed me where to find/verify the sha256 program/application.

i actually need to study the whole thread a few more times and let all that new info sink in. two weeks ago i had only a vague idea what an md5 hash was.

just to let you know, fedora is a great distro. it installed and has been working nicely. i can see why so many people like it. for me, it's right up there with hardy heron and pc-os version 8.04.

10th May 2010, 10:31 PM
Hrrm, well, I just use tab completion and that gets it for me. I suppose you could do something like

ls |grep Fedora > Fedora.txt

Hopefully, Fedora.txt would read something like Fedora-whatever.iso


sha256sum $(cat Fedora.txt)

(This is untested, but should work.)

11th May 2010, 03:01 AM

i didn't think i had a pipe key, but once again i was mistaken. |
ok, i got it.

ls |grep distro > distofilenametext.iso

for me i think the next command will start with sudo

sudo sha256sum distrofilenametext.iso

thanks for all your help, smr54. i'm most grateful.

11th May 2010, 03:14 AM
Glad it helped.

2nd July 2010, 09:40 PM
Why all this hash-tings ?
Download Fedora with a torrent-client in windows (like u-torrent (http://www.utorrent.com/)) and burn iso on cd or dvd (try deepburner (http://www.deepburner.com/download/DeepBurner1.exe)(free)).
The torrent client checks hash automatically.
Here is torrents for all fedora dist. : http://torrent.fedoraproject.org/
See http://fedoraproject.org/wiki/Distribution/Download/BitTorrent for a guide to using BitTorrent.
I did these things and it worked perfectly first time I did it.
Sheers !