HOWTO Verify Downloaded ISO Files
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 19
  1. #1
    Join Date
    Jun 2006
    Posts
    7,544
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HOWTO Verify Downloaded ISO Files

    Updated 6/11/2010

    The ISO files that are downloaded from the Internet to create Fedora installation disks and LiveCDs should be verified for data integrity by generating a hash sum from the downloaded file and comparing it to a known good hash sum. The hash sum (or hash) that you generate from your downloaded ISO file is a numerical string derived by a complex mathematical calculation performed on the file. If the two hashes match, it means the downloaded file is identical to the file on the download server.

    A Brief History of Fedora ISO Checksums

    There are various kinds of hashes. Before Fedora Core 4, the ISO files that were used to create Fedora installation disks were accompanied by a text file named MD5SUM that contained MD5 hashes for the ISO files. To verify a downloaded ISO file that has an MD5 hash for comparison, you must use either md5sum (in Linux) or md5sum.exe (in Windows) to create hashes from your downloaded files for comparison with the hashes in the MD5SUM file.

    Starting with Fedora Core 4, the ISO files were accompanied by a text file named SHA1SUM that contained the SHA-1 hashes for the ISO files. To verify a downloaded ISO file that has an SHA-1 hash for comparison, you must use either sha1sum (in Linux) or sha1sum.exe (in Windows).

    Recently, another change in the checksum method occurred with the release of Fedora 11. Checksums are now SHA-256 hashes. To verify a downloaded ISO file that has an SHA-256 hash for comparison, you must use either sha256sum (in Linux) or sha256sum.exe (in Windows).

    Nevertheless, the syntax and options for all of these commands are basically the same. Anywhere the word or command sha256sum is used below, the words or commands sha1sum and md5sum can be substituted. And anywhere the word or command sha256sum.exe is used below, the words or commands sha1sum.exe and md5sum.exe can be substituted. A few exceptions exist and are noted below. Therefore, the ideas presented here will work to verify an ISO file for any version of Fedora including archived versions. The salient point to remember (but often forgotten) is to use the correct checksum utility for the situation.


    Verify a Downloaded Fedora ISO

    Before starting, you need the checksum text file that contains the hash for the ISO file that you downloaded. The checksum file can be found in the same place from which the ISO file was downloaded. It's usually in the same subdirectory and nowadays will have a filename such as "Fedora-13-i386-CHECKSUM". There are other *-CHECKSUM files for the other versions of Fedora (i386, x86_64, Live, Live-KDE, and so on). Download the CHECKSUM file that contains the hash for your ISO file.

    Next, generate a hash from your downloaded file. If you are working in Linux, the sha256sum utility is usually already installed in Fedora. Open a terminal, change directories to where the ISO file is stored, and run the command like this...
    Code:
    sha256sum [ISO filename(s)]
    Example...
    Code:
    $ cd Desktop
    $ sha256sum Fedora-13-i386-DVD.iso
    e499f393898231b2c49f176cc852c119b28fa0c60198d159a4c9a585c95fe0c3  Fedora-13-i386-DVD.iso
    It may take several minutes for the result from a large file such as a Fedora DVD ISO. That long hexadecimal number string that resulted from the command in that example is the SHA-256 hash that now can be compared to the hash for the i386 Fedora 13 DVD ISO in the file Fedora-13-i386-CHECKSUM. Example...
    Code:
    # cat Fedora-13-i386-CHECKSUM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    # The PGP checksum uses sha1sum.
    # The image checksum(s) are generated with sha256sum.
    e499f393898231b2c49f176cc852c119b28fa0c60198d159a4c9a585c95fe0c3 *Fedora-13-i386-DVD.iso
    b57923430d89395d4674783507ca26920a86c816e334a23aed6da31e7a3039ff *Fedora-13-i386-disc1.iso
    e70684c87128d10aeff692d163cb7104ceb902f3270ab1efe01247b7ad65cb14 *Fedora-13-i386-disc2.iso
    73f5a6c4d7b27d0902e0ac4c2a6506cc80ba4d40ba77701341a142c8ef4a3edd *Fedora-13-i386-disc3.iso
    ff078b7119550479e189a95b440e603b67aa094b36e3b5407c9a3539c1eaeedb *Fedora-13-i386-disc4.iso
    7b5099fc27d9950cf48db447df5579d5261b1664e6c6306994c28e12cb162d6f *Fedora-13-i386-disc5.iso
    1a683965fb21fd7342127eb4b5cc0ef007e45fabf6c90d0fd6facfc7d1bdaf89 *Fedora-13-i386-netinst.iso
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    
    iQIVAwUBS/SF+n7catbo5A/eAQLG0xAAl/rD8oX26j8IIqNh27i6bwLblcRjMKVJ
    kHIrSrb9PiTdIH3En3U/G76YU+uimS0J6GRWz4s5oe3jvZkmrYgGy+VfR30CUr9H
    9Q3p4fMWjW7JgzJl2pAKaoIWrqS8fMc5hLOk50h2r7FfuP+HKwaDIFXVe9Yx1ZUm
    cdECmRmfYAZeqFhaKagRgp44iSaYPDgRu1Yhj3RkGsVD+n4z5nvbLCnoPv/dWCee
    Bq9S2sfeJUrBCcX2Xzgh55HXljdzTH7AgdK0p0Dv7S5xim+324oH8tkMrtYkkm3P
    wpQMQYku0n01jw/See3ZTLa7zNJtysBu5bhXfoqnfNRz8nVnVWk9GxfQq3lkxwDx
    lWXpa8r1YxcZ0ZJaEktMSDqN/gankFlBSYdhspOgewxbcMn9WVVlMvakHG0RomtW
    sxUvd7p31Wv5eJ5CJC08nfVhVXUZzUAu2ny4K9kXZpTr+xsrFS/gMuNEjK6k8AHT
    Cmk7kwkwJSp5WONYPxK+T8bfuqr74WhYLB35yXJMd52s2RzsTTnIdSn8MXo7ePUd
    xgUvPkTqS+s12Sol8riEV+fmwXyFlG1o4aRwlDVw01+PFZ6/4wH16UVyq3skccr8
    rbILiYuRaFTkSlyXzHhOqgDYe4o3vMjcK0cWfQrZSLYs1zB51fw0csQKpTnNJYDY
    I7UX0rnGIB0=
    =BjUw
    -----END PGP SIGNATURE-----
    If you are working from Windows, download the DOS utility sha256sum.exe to your Windows directory. Open a Command Prompt window, change directories to where the ISO file is stored, and run the same command as in the Linux example.

    If the hashes match, then you can confidently continue with the process of creating the disk. But remember that the subsequent steps, devices, and disk media involved in burning the disk also can be a source for errors in the final product.


    Using the -c Option

    Not only can sha256sum generate hashes, but it also can do the comparison if a file containing the known good hashes in the proper format is included in the directory with the ISO file(s) to be verified. That is what the -c option does. When used in this way, the result is returned as OK, FAILED, or No such file or directory. The simplest thing to do is to download the text file *-CHECKSUM and the ISO file(s) to the same directory. Then execute the command like this example...
    Code:
    sha256sum -c Fedora-13-i386-CHECKSUM
    This example uses sha256sum with the -c option to verify the first two CDs of the CD set...
    Code:
    $ ls
    Fedora-13-i386-CHECKSUM  Fedora-13-i386-disc1.iso  Fedora-13-i386-disc2.iso
    
    $ sha256sum -c Fedora-13-i386-CHECKSUM
    sha256sum: Fedora-13-i386-DVD.iso: No such file or directory
    Fedora-13-i386-DVD.iso: FAILED open or read
    Fedora-13-i386-disc1.iso: OK
    Fedora-13-i386-disc2.iso: OK
    sha256sum: Fedora-13-i386-disc3.iso: No such file or directory
    Fedora-13-i386-disc3.iso: FAILED open or read
    sha256sum: Fedora-13-i386-disc4.iso: No such file or directory
    Fedora-13-i386-disc4.iso: FAILED open or read
    sha256sum: Fedora-13-i386-disc5.iso: No such file or directory
    Fedora-13-i386-disc5.iso: FAILED open or read
    sha256sum: Fedora-13-i386-netinst.iso: No such file or directory
    Fedora-13-i386-netinst.iso: FAILED open or read
    sha256sum: WARNING: 5 of 7 listed files could not be read
    The Windows/DOS versions of sha256sum.exe, sha1sum.exe, and md5sum.exe may not offer the -c option. If not, manually generate the hash and compare it to the known good hash.


    Verify the Actual Fedora Installation Disk that You Created

    Besides having your burning software verify the data burned to the disk, it is also possible to verify the actual Fedora installation CD or DVD itself with sha256sum. This could be handy to know if you did not verify the burned data and later have a reason to suspect your disk of being defective. I recently learned how to do this with the help of buddha (the forum member, not Siddhartha). As buddha explained to me, the burning process often adds padding to the disk making it impossible to get an accurate sha256sum result directly from the DVD. buddha redirected me to Steve Litt's Coasterless CD Burning web page that publishes a simple bash script called rawread (go there to get it). That script basically removes the padding allowing sha256sum to work on the DVD. It is very simple to copy the script to a text file, set its permissions to allow execution, run the simple command and pipe the result to sha256sum. The output is an sha256sum hash that can be compared to the hash for the original downloaded ISO file.
    Code:
    rawread /dev/cdrom | sha256sum
    
    NOTE 1: To determine your actual DVD or CDROM device 
    name, insert a disk and run the terminal command df.
    
    NOTE 2: I don't know of a comparable DOS batch file or 
    application to do this in Windows or DOS with sha256sum.exe.
    Steve Litt explains the whole thing on the web page. I recommend this as a simple way to confirm that all the steps involved in producing your Fedora installation disk were successful.


    Some download sources

    etree.org: md5sum.exe for DOS (48K)
    SourceForge.net: MD5summer for Windows (486K)
    gnupg download server: sha1sum.exe for DOS (20K), md5sum.exe for DOS (6K)
    labtestproject.com: sha256sum.exe
    Last edited by stoat; 11th June 2010 at 12:50 PM.

  2. #2
    Join Date
    Mar 2009
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I downloaded Fedora, and i did not receive the sha1sum file, what did i do wrong?
    I have the .iso, but no sha1sum.

  3. #3
    Join Date
    Jun 2006
    Posts
    7,544
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by someoneinsane

    I downloaded Fedora, and i did not receive the sha1sum file, what did i do wrong?
    I have the .iso, but no sha1sum.
    A text file by the name of SHA1SUM is always present in the same subdirectory of the download server where the ISO files are located. It contains the SHA-1 hashes for the ISO files in that subdirectory. Example for the i386 version of Fedora 10...You, of course, would download the SHA1SUM file that accompanied the ISO file that you downloaded.

  4. #4
    Join Date
    Mar 2009
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it possible i can JUST download the SHA1SUM file?
    Or do i have to download it again?
    Last edited by someoneinsane; 25th March 2009 at 12:13 AM.

  5. #5
    Join Date
    Jun 2006
    Posts
    7,544
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by someoneinsane

    Is it possible i can JUST download the SHA1SUM file?
    Or do i have to download it again?
    Yes, SHA1SUM is simply a file that you manually download yourself if you want to verify the integrity of your downloaded ISO file. You have to go and get it yourself since it is not done for you during the download of the ISO file. It can always be found on the download server or mirror with the ISO file. Since it is a tiny text file, it downloads in mere seconds. The first thing that I always do after I download a Fedora ISO file is download the file SHA1SUM. Then I generate an SHA-1 hash from my downloaded ISO file and compare it to the hash for that ISO file that is shown in SHA1SUM.

  6. #6
    Join Date
    Mar 2004
    Location
    In your closet
    Posts
    15,753
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Stoat, or others. Do I need to get the sha1sum file from the same server that I get the ISO from or can I grab one from any server that has the ISO? I downloaded the F11 Beta DVD this morning from one server but had to leave. Now I downloaded the sha1sum file from some other server. Will this be valid?
    Glenn
    The Bassinator

  7. #7
    Join Date
    Feb 2007
    Location
    Taipei
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Since F11 Beta, you need to use sha256sum.

  8. #8
    Join Date
    Apr 2009
    Location
    Toronto
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Torrent downloads seem to come with checksum files, too.

  9. #9
    scottro's Avatar
    scottro is offline Retired Community Manager -- Banned from Texas by popular demand.
    Join Date
    Sep 2007
    Location
    NYC
    Posts
    8,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually (hrrm, was it CentOS or Fedora beta--one of them didn't have checksums. I tried using the sum from another mirror, but it came out completely differently. Sorry, can't remember which mirror I used, but I remember being suprised that there was no checksum text file. I also think I did sha1 rather than 256 which might be why it came out wrong. I said the heck with it, let me try anyway, and it worked perfectly---hrrm, now that I think about it, I seem to remember there being a thread on the testing list about sha1 sum mismatches though.

    Ok, just rechecked. Yup, it says, in BIG LETTERS
    HASH SHA1

    sha1sum comes out all wrong. However, sha256sum matches this sha1sum. Now, THAT'S what I call intuitive. Someone oughta fix that.
    Thanks livibetter. It would probably help the user if they called it HASH SHA256 rather than HASH SHA1 but this is Linux after all. Now they can call all the people who don't know this stupid and tell them how they should have looked in some place or another.

    Sigh, there's that attention to detail that we've grown to expect.
    --
    http://srobb.net

  10. #10
    scottro's Avatar
    scottro is offline Retired Community Manager -- Banned from Texas by popular demand.
    Join Date
    Sep 2007
    Location
    NYC
    Posts
    8,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To Glenn, yes, you should be able to get the SHA1sum from any server. Just run sha256sum though.
    --
    http://srobb.net

  11. #11
    Join Date
    Jun 2005
    Location
    UK
    Posts
    4,426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Bugger! And there's me downloaded a second F11 DVD iso because I thought the first was messed up.

    Thanks livibetter

  12. #12
    Join Date
    Nov 2007
    Location
    Cluj-Napoca, Romania
    Age
    36
    Posts
    250
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HOWTO Verify Downloaded ISO Files with sha1sum
    1. Install FireFox and the DownThemAll! extension.
    2. Click to download whatever ISO you need and a download window will be displayed. Choose to download it with the DownThemAll extension.
    3. In the next screen, choose the checksum algorithm and enter the correct control number.
    4. Start download. When it's complete, the checksum will be calculated and verified.
    Last edited by ShivaS; 6th April 2009 at 09:43 AM.
    Joy, frustration, excitement, madness, aha's, headaches ... codito ergo sum!

    You can't have everything ....Where would you put it?
    We, humans, are used with loops, not leaps...

  13. #13
    Join Date
    Mar 2009
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I figured it out.
    So no worries.

  14. #14
    Join Date
    Nov 2008
    Location
    Pittsburgh, Pennslyvania
    Posts
    115
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: HOWTO Verify Downloaded ISO Files

    I have used the command:
    sha256sum -c Fedora-13-x86_64-CHECKSUM
    and it looks like the first file is ok; but, the other files are not.

    Is this a problem?

    Code:
    [Losos@DellVostro Fedora11_i386_OS]$ sha256sum -c Fedora-13-x86_64-CHECKSUM
    Fedora-13-x86_64-DVD.iso: OK
    sha256sum: Fedora-13-x86_64-disc1.iso: No such file or directory
    Fedora-13-x86_64-disc1.iso: FAILED open or read
    sha256sum: Fedora-13-x86_64-disc2.iso: No such file or directory
    Fedora-13-x86_64-disc2.iso: FAILED open or read
    sha256sum: Fedora-13-x86_64-disc3.iso: No such file or directory
    Fedora-13-x86_64-disc3.iso: FAILED open or read
    sha256sum: Fedora-13-x86_64-disc4.iso: No such file or directory
    Fedora-13-x86_64-disc4.iso: FAILED open or read
    sha256sum: Fedora-13-x86_64-disc5.iso: No such file or directory
    Fedora-13-x86_64-disc5.iso: FAILED open or read
    sha256sum: Fedora-13-x86_64-netinst.iso: No such file or directory
    Fedora-13-x86_64-netinst.iso: FAILED open or read
    sha256sum: WARNING: 6 of 7 listed files could not be read
    [Losos@DellVostro Fedora11_i386_OS]$
    "Nearly all men can stand adversity, but if you want to test a man's character, give him power." -
    -- Abraham Lincoln

  15. #15
    Join Date
    Jan 2010
    Posts
    7,380
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: HOWTO Verify Downloaded ISO Files

    If you have only have the DVD, then it won't be able to find the others, which are the CD iso's--in other words, the installation broken up into several CDs.

    You'll note the checksum file contains listings for several files--but you probably only downloaded the DVD. So, those error messages on the CD iso's can safely be ignored.

Page 1 of 2 1 2 LastLast

Similar Threads

  1. Where to get the md5 Checksum to verify if the downloaded iso correct?
    By thomas2004ch in forum Installation, Upgrades and Live Media
    Replies: 6
    Last Post: 13th September 2009, 04:14 PM
  2. Verify FC 6 Iso Image Files
    By Peter_APIIT in forum Using Fedora
    Replies: 4
    Last Post: 9th February 2007, 07:31 AM
  3. yum - downloaded files to update
    By ilbh in forum Using Fedora
    Replies: 3
    Last Post: 1st December 2006, 10:19 PM
  4. downloaded files disappear
    By thnguyen in forum Using Fedora
    Replies: 8
    Last Post: 25th July 2005, 07:37 PM
  5. how to verify integrity of .shn files
    By BoHu in forum Using Fedora
    Replies: 11
    Last Post: 22nd March 2005, 12:27 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •