How to Use SHA256 to verify downloaded files
When you download an ISO image, especially from many unknown seeds on the BitTorrent network, we recommend that you verify the integrity of the downloaded image.
For the Ubuntu release, Canonical provides several verification files (such as MD5SUM, SHA1SUMS, and SHA256SUMS) for verification ). In this example, we use SHA256SUMS.
First, download the following two files.
- $ Wget http://releases.ubuntu.com/14.10/SHA256SUMS
- $ Wget http://releases.ubuntu.com/14.10/SHA256SUMS.gpg
The first file is the SHA256 verification file of the ISO image, and the second file (*. gpg) is the signature of the verification file. The purpose of the second document is to verify the validity of the verification document.
Run the following command to verify the validity of the SHA256SUMS file.
- $ Gpg -- verify SHA256SUMS. gpg SHA256SUMS
- Gpg: Signature made thu23oct409: 36: 00 am edt using DSA key ID FBB75451
- Gpg: Can't check signature: public key not found
If you get the error message above, it is because you have not imported the public key that generates the signature. Therefore, we need to import the required public key.
Before doing so, you need to know the "key ID" of the public key, which is displayed in the output of the above gpg command. In this example, the key ID is "FBB75451 ". Run the following command to import a public key from the official Ubuntu key server.
- $ Gpg -- keyserver hkp: // keyserver.ubuntu.com -- recv-keys FBB75451
Since the public key has been imported, we can continue and re-run the previous command to verify the signature.
- Gpg -- verify SHA256SUMS. gpg SHA256SUMS
This time you did not see the error message "public key not found. If the SHA256SUMS file is valid, you will see the "Good signature from" information. Note that you also see a warning message "This key is not certified with a trusted signature. Basically, this warning message tells you that you do not have a clear trust in the imported public key. To avoid this warning, you can specify a public key that fully trusts the import, but you should do so only after reviewing the key in other ways. Otherwise, you can temporarily ignore this warning.
After verifying the integrity of the SHA256SUMS file, The last step is to compare the SHA256 verification value of the downloaded ISO file and the verification value of the SHA256SUMS file. You can use the sha256sum command line tool to complete this step.
For convenience, the following command compares SHA256 verification and reports the results.
- $ Sha256sum-c <(grep ubuntu-14.10-desktop-amd64.iso SHA256SUMS)
- Ubuntu-14.10-desktop-amd64.iso: OK
If you see the output information above, it indicates that the two verification values match. In this way, the integrity of the downloaded ISO image is successfully verified.
This article permanently updates the link address: