Updated 6/11/2010
The ISO files that are downloaded from the Internet to create Fedora installation disks and LiveCDs should be verified for data integrity by generating a hash sum from the downloaded file and comparing it to a known good hash sum. The hash sum (or hash) that you generate from your downloaded ISO file is a numerical string derived by a complex mathematical calculation performed on the file. If the two hashes match, it means the downloaded file is identical to the file on the download server.
A Brief History of Fedora ISO Checksums
There are various kinds of hashes. Before Fedora Core 4, the ISO files that were used to create Fedora installation disks were accompanied by a text file named MD5SUM that contained MD5 hashes for the ISO files. To verify a downloaded ISO file that has an MD5 hash for comparison, you must use either md5sum (in Linux) or md5sum.exe (in Windows) to create hashes from your downloaded files for comparison with the hashes in the MD5SUM file.
Starting with Fedora Core 4, the ISO files were accompanied by a text file named SHA1SUM that contained the SHA-1 hashes for the ISO files. To verify a downloaded ISO file that has an SHA-1 hash for comparison, you must use either sha1sum (in Linux) or sha1sum.exe (in Windows).
Recently, another change in the checksum method occurred with the release of Fedora 11. Checksums are now SHA-256 hashes. To verify a downloaded ISO file that has an SHA-256 hash for comparison, you must use either sha256sum (in Linux) or sha256sum.exe (in Windows).
Nevertheless, the syntax and options for all of these commands are basically the same. Anywhere the word or command sha256sum is used below, the words or commands sha1sum and md5sum can be substituted. And anywhere the word or command sha256sum.exe is used below, the words or commands sha1sum.exe and md5sum.exe can be substituted. A few exceptions exist and are noted below. Therefore, the ideas presented here will work to verify an ISO file for any version of Fedora including archived versions. The salient point to remember (but often forgotten) is to use the correct checksum utility for the situation.
Verify a Downloaded Fedora ISO
Before starting, you need the checksum text file that contains the hash for the ISO file that you downloaded. The checksum file can be found in the same place from which the ISO file was downloaded. It's usually in the same subdirectory and nowadays will have a filename such as "Fedora-13-i386-CHECKSUM". There are other *-CHECKSUM files for the other versions of Fedora (i386, x86_64, Live, Live-KDE, and so on). Download the CHECKSUM file that contains the hash for your ISO file.
Next, generate a hash from your downloaded file. If you are working in Linux, the sha256sum utility is usually already installed in Fedora. Open a terminal, change directories to where the ISO file is stored, and run the command like this...
Code:
sha256sum [ISO filename(s)]
Example...
Code:
$ cd Desktop
$ sha256sum Fedora-13-i386-DVD.iso
e499f393898231b2c49f176cc852c119b28fa0c60198d159a4c9a585c95fe0c3 Fedora-13-i386-DVD.iso
It may take several minutes for the result from a large file such as a Fedora DVD ISO. That long hexadecimal number string that resulted from the command in that example is the SHA-256 hash that now can be compared to the hash for the i386 Fedora 13 DVD ISO in the file Fedora-13-i386-CHECKSUM. Example...
Code:
# cat Fedora-13-i386-CHECKSUM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# The PGP checksum uses sha1sum.
# The image checksum(s) are generated with sha256sum.
e499f393898231b2c49f176cc852c119b28fa0c60198d159a4c9a585c95fe0c3 *Fedora-13-i386-DVD.iso
b57923430d89395d4674783507ca26920a86c816e334a23aed6da31e7a3039ff *Fedora-13-i386-disc1.iso
e70684c87128d10aeff692d163cb7104ceb902f3270ab1efe01247b7ad65cb14 *Fedora-13-i386-disc2.iso
73f5a6c4d7b27d0902e0ac4c2a6506cc80ba4d40ba77701341a142c8ef4a3edd *Fedora-13-i386-disc3.iso
ff078b7119550479e189a95b440e603b67aa094b36e3b5407c9a3539c1eaeedb *Fedora-13-i386-disc4.iso
7b5099fc27d9950cf48db447df5579d5261b1664e6c6306994c28e12cb162d6f *Fedora-13-i386-disc5.iso
1a683965fb21fd7342127eb4b5cc0ef007e45fabf6c90d0fd6facfc7d1bdaf89 *Fedora-13-i386-netinst.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQIVAwUBS/SF+n7catbo5A/eAQLG0xAAl/rD8oX26j8IIqNh27i6bwLblcRjMKVJ
kHIrSrb9PiTdIH3En3U/G76YU+uimS0J6GRWz4s5oe3jvZkmrYgGy+VfR30CUr9H
9Q3p4fMWjW7JgzJl2pAKaoIWrqS8fMc5hLOk50h2r7FfuP+HKwaDIFXVe9Yx1ZUm
cdECmRmfYAZeqFhaKagRgp44iSaYPDgRu1Yhj3RkGsVD+n4z5nvbLCnoPv/dWCee
Bq9S2sfeJUrBCcX2Xzgh55HXljdzTH7AgdK0p0Dv7S5xim+324oH8tkMrtYkkm3P
wpQMQYku0n01jw/See3ZTLa7zNJtysBu5bhXfoqnfNRz8nVnVWk9GxfQq3lkxwDx
lWXpa8r1YxcZ0ZJaEktMSDqN/gankFlBSYdhspOgewxbcMn9WVVlMvakHG0RomtW
sxUvd7p31Wv5eJ5CJC08nfVhVXUZzUAu2ny4K9kXZpTr+xsrFS/gMuNEjK6k8AHT
Cmk7kwkwJSp5WONYPxK+T8bfuqr74WhYLB35yXJMd52s2RzsTTnIdSn8MXo7ePUd
xgUvPkTqS+s12Sol8riEV+fmwXyFlG1o4aRwlDVw01+PFZ6/4wH16UVyq3skccr8
rbILiYuRaFTkSlyXzHhOqgDYe4o3vMjcK0cWfQrZSLYs1zB51fw0csQKpTnNJYDY
I7UX0rnGIB0=
=BjUw
-----END PGP SIGNATURE-----
If you are working from Windows, download the DOS utility sha256sum.exe to your Windows directory. Open a Command Prompt window, change directories to where the ISO file is stored, and run the same command as in the Linux example.
If the hashes match, then you can confidently continue with the process of creating the disk. But remember that the subsequent steps, devices, and disk media involved in burning the disk also can be a source for errors in the final product.
Using the -c Option
Not only can sha256sum generate hashes, but it also can do the comparison if a file containing the known good hashes in the proper format is included in the directory with the ISO file(s) to be verified. That is what the -c option does. When used in this way, the result is returned as OK, FAILED, or No such file or directory. The simplest thing to do is to download the text file *-CHECKSUM and the ISO file(s) to the same directory. Then execute the command like this example...
Code:
sha256sum -c Fedora-13-i386-CHECKSUM
This example uses sha256sum with the -c option to verify the first two CDs of the CD set...
Code:
$ ls
Fedora-13-i386-CHECKSUM Fedora-13-i386-disc1.iso Fedora-13-i386-disc2.iso
$ sha256sum -c Fedora-13-i386-CHECKSUM
sha256sum: Fedora-13-i386-DVD.iso: No such file or directory
Fedora-13-i386-DVD.iso: FAILED open or read
Fedora-13-i386-disc1.iso: OK
Fedora-13-i386-disc2.iso: OK
sha256sum: Fedora-13-i386-disc3.iso: No such file or directory
Fedora-13-i386-disc3.iso: FAILED open or read
sha256sum: Fedora-13-i386-disc4.iso: No such file or directory
Fedora-13-i386-disc4.iso: FAILED open or read
sha256sum: Fedora-13-i386-disc5.iso: No such file or directory
Fedora-13-i386-disc5.iso: FAILED open or read
sha256sum: Fedora-13-i386-netinst.iso: No such file or directory
Fedora-13-i386-netinst.iso: FAILED open or read
sha256sum: WARNING: 5 of 7 listed files could not be read
The Windows/DOS versions of sha256sum.exe, sha1sum.exe, and md5sum.exe may not offer the -c option. If not, manually generate the hash and compare it to the known good hash.
Verify the Actual Fedora Installation Disk that You Created
Besides having your burning software verify the data burned to the disk, it is also possible to verify the actual Fedora installation CD or DVD itself with sha256sum. This could be handy to know if you did not verify the burned data and later have a reason to suspect your disk of being defective. I recently learned how to do this with the help of buddha (the forum member, not Siddhartha). As buddha explained to me, the burning process often adds padding to the disk making it impossible to get an accurate sha256sum result directly from the DVD. buddha redirected me to Steve Litt's Coasterless CD Burning web page that publishes a simple bash script called rawread (go there to get it). That script basically removes the padding allowing sha256sum to work on the DVD. It is very simple to copy the script to a text file, set its permissions to allow execution, run the simple command and pipe the result to sha256sum. The output is an sha256sum hash that can be compared to the hash for the original downloaded ISO file.
Code:
rawread /dev/cdrom | sha256sum
NOTE 1: To determine your actual DVD or CDROM device
name, insert a disk and run the terminal command df.
NOTE 2: I don't know of a comparable DOS batch file or
application to do this in Windows or DOS with sha256sum.exe.
Steve Litt explains the whole thing on the web page. I recommend this as a simple way to confirm that all the steps involved in producing your Fedora installation disk were successful.
Some download sources
etree.org: md5sum.exe for DOS (48K)
SourceForge.net: MD5summer for Windows (486K)
gnupg download server: sha1sum.exe for DOS (20K), md5sum.exe for DOS (6K)
labtestproject.com: sha256sum.exe