Integrity verification of downloaded files in Linux (MD5, SHA1, PGP)

Perform MD5Hash on the file to obtain the MD5 hash value of the file. after the download, check whether the MD5 hash value of the file is consistent with the MD5 hash value provided by the publisher to determine whether the file has been tampered with after publishing by the publisher.

Learning in Linux is always difficult at first, but sometimes it is found that there are far more operations in Linux than in Windows-the integrity of downloaded files is one of them, it makes me feel a great thing. When compiling and installing various software, collect the software source code package on each website. Because of this, the software portal is very complicated, and it is necessary to verify whether the downloaded file has been modified. Currently, the verification methods are MD5, SHA1, and PGP. In the long Windows years (vicissitudes of life), you can only access the first two types of data, provided that you verify the data.

MD5 verification

Principle: perform MD5 Hash on the file to obtain the MD5 Hash value of the file, check whether the MD5 hash value of the downloaded file is consistent with the MD5 hash value provided by the publisher to determine whether the file has been tampered with after published by the publisher.
Note: a long-lived Hash algorithm is widely used and the website storage password is frequently used. The MD5 hash values generated by different files are unique, but there is a way to make a small number of modifications to the files so that the MD5 hash values of the files are consistent.
Usage: in CentOS, it is very easy to perform MD5 Hash on the file. just run the md5sum command:

Copy codeThe code is as follows:
# $ Is a terminal prompt, not input.
# Number is a comment
# Output without a prompt
# Directly output MD5 Hash
$ Md5sum your-downloaded-file-name
Fd4a1b802373425c10c926eb7ac823d8 your-downloaded-file-name

# Save the MD5 hashvalue to the md5-hash.txt file.
$ Md5sum your-downloaded-file-name> md5-hash.txt
# Display the output md5-hast.txt content
$ Cat md5-hash.txt
Fd4a1b802373425c10c926eb7ac823d8 your-downloaded-file-name

# Check whether the downloaded file is correct through md5-hash.txt
$ Md5sum-c md5-hash.txt
Your-downloaded-file-name: OK

If you are the publisher of a file, you can use md5sum to send the hash value of the file to the validators, so that the person downloading your file can verify the correctness of your file by using the MD5 hash value. On the other hand, after downloading the file on the website, we can also obtain the MD5 Hash value of the publisher and compare it with the Hash value generated locally. if they are consistent, we think the file is correct.

SHA1 verification

Principle: like MD5, the principle is to evaluate the file HASH, compare the HASH value published by the file publisher, and determine whether the file is tampered with by equality
Note: The SHA1 HASH evaluation method is an upgraded version of MD5 (SHA1 20 bits and MD5 16 bits). in terms of HASH calculation, the SHA1 exit stage will be occupied by SHA1. The SHA family has five algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, the last four are sometimes called SHA2
Run the command sha1sum with shaa1 in CentOS.

Copy codeThe code is as follows:
# Same as above
# Directly output SHA1 Hash
$ Sha1sum your-downloaded-file-name
12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name

# Save the SHA1 Hash value to the file
$ Sha1sum your-downloaded-file-name> sha1-hash.txt
# Display file content
$ Cat sha1-hash.txt
12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name

Worker uses sha1-hash.txt to verify the downloaded file your-downloaded-file-name.
# Note: the file must be known through the path in the txt file.
$ Sha1sum-c sha1-hash.txt
Your-downloaded-file-name: OK

This SHA1 is basically the same as MD5. it should be added that when md5sum or sha1sum is used to verify the file, make sure that the system can find the file based on the path provided in the file. if the file cannot be found, there is no way to verify it.

For Hash verification of multiple files, you can store the Hash values of multiple files in one file.

PGP verification

Principle: asymmetric encryption is used to generate a unique Key pair (Public Key and Private Key: Public Key and Private Key/Secret Key ). The procedure is as follows:

1. the publisher signs the file to be published by using the private key in the generated key pair to obtain the signature file (sign );
2. the publisher publishes the public key in the key pair to the public key server;
3. the publisher publishes the file together with the signature generated with the private key;
4. the validators download the files and signatures published by the publisher;
5. use the PGP program to obtain the public key published by the publisher in step 2;
6. use the public key to verify the file signature
Note: in the signature algorithm, the key is used for encryption and verification. the private key is used for decryption and signature. The private key is in the Information Authority, and the public key can be freely distributed. The information sender uses a key to sign the information. after obtaining the public key, the receiver can use the public key to verify the information and signature published by the receiver. If verification fails, the information is tampered. In the network, we often encounter HTTPS protocol, using the same mechanism.

Usage: since PGP is a commercial application, GPG (I .e., GnuPG) has similar features in CentOS/Linux and complies with OpenPGP data encryption standard (RFC 4880 ), if not installed, you can use yum install gnupg to install it. the command is gpg.

Copy codeThe code is as follows:
# Same as above
# Because the process is relatively complex, and in actual use, there are many verification purposes, so here we only introduce the file verification process.
# When obtaining the file and signature, we first use gpg to verify the signature. in this case, the file must exist.
$ Gpg -- verify downloaded-file-sign.asc

There are multiple cases. if you only have a signature but the file that generates the signature does not exist (the file is not found by the system and should be placed in the same directory), the returned result is:

Copy codeThe code is as follows:
Gpg: data without signature
Gpg: can't hash datafile: No data

When you have a file but no public key corresponding to the signature, the information returned by gpg is similar to the following:

Copy codeThe code is as follows:
Gpg: the signature created by CST at on Monday 18, May 06, 2013. it uses RSA and key number 47 ACDAFB.
Gpg: the signature cannot be checked: No public key

Note: The information above is different in different files and operating systems. However, if you do not have a public key, you can find that gpg provides a key number: 47 ACDAFB, which is the public key we need to find.

As mentioned above, the publisher has published the public key to the public key server for the validators to download. Therefore, we need to download the public key from the public key server. to download the public key, the key number is very important.

You can use the Key Server entries on wikipedia to view the list of common key servers. Hkp: // pgp.mit.edu is used here:

Copy codeThe code is as follows:
# Getting the public key on the server
$ Gpg -- keyserver hkp: // pgp.mit.edu -- recv-keys 47 ACDAFB
Gpg: Download the secret '47acdaff' from the hkp server pgp.mit.edu.
Gpg: Key 47 ACDAFB: public key "Stephen Mueller "Imported
Gpg: no key absolutely trusted
Gpg: total number of processed items: 1
Gpg: Imported: 1

-- Recv-keys should be used with -- keyserver. after importing the public key of the key pair, we can use this public key to verify our signature.

Run the previous verification command (gpg -- verify sign-file) again to view the verification result.

Copy codeThe code is as follows:
# At this time, we will verify our signature again to get the verification result.
$ Gpg -- verify downloaded-file-sign.asc
Gpg: the signature created by CST at on Monday 18, May 06, 2013. it uses RSA and key number 47 ACDAFB.
Gpg: a complete signature, from "Stephen Mueller "
Gpg: Warning: this key has not been authenticated by a trusted signature!
Gpg: there is no evidence that the signature belongs to the holder it claims.
Fingerprint of the primary key: B0F4 2D33 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8

When you see this result, at least one result is confirmed: The file has not been tampered.

Generally, this step is almost the same.

Note that there is a warning in the message, indicating that this is an untrusted signature authentication. Anyone can publish this public key. if you need further authentication, you can contact the real publisher to confirm the key information-fingerprint before signing! This is a weakness of this algorithm.

If the signature authentication has passed, you can compile and install it in your system with peace of mind.

For more information about PGP, refer to the following websites:

1. Wikipedia PGP
2. Ubuntu GPG/PGP
3. In GnuPG and HOWTOs, MiniHOWTO has a zh document, which is in Chinese.
4. Gentoo GnuPG