Verifying the integrity of downloaded files under Linux (MD5,SHA1,PGP)
Linux is always difficult to learn, but sometimes, but found that Linux is far more than the operation of Windows is much more-the integrity of the download file is one of them, let me feel very cool thing. In the compilation and installation of various software, always to the various sites to collect software source package. Because of this, the entrance to the software is very complex, it is necessary to verify whether the downloaded file has been modified. And the calibration method is currently generally md5,sha1,pgp three kinds. In the long years of Windows (the vicissitudes of the wood have), generally only touch the first two--if you will check the words.
Principle: MD5 Hash of the file, find the MD5 hash of the file, determine whether the file has been tampered with after the publisher has been published, by the MD5 hash value of the downloaded file and whether the MD5 hash value provided by the Publisher is consistent.
Description: Long life of a hash algorithm, a wide range of applications, site storage passwords are often used. The MD5 hash generated by different files is unique, but there is a way to keep the hash value of the file MD5 consistent by making minor modifications to the file.
Use: Under CentOS, the MD5 hash of the file is very simple, amd5sumcommand can be:
Code# $ is terminal prompt, not input. # # is Comment # No prompt is output # Direct output MD5 Hash $ md5sum your-downloaded-file-namefd4a1b802373c57c10c926eb7ac823d8 your-downloaded-file-name # Save the MD5 Hash value to In the md5-hash.txt file. $ md5sum your-downloaded-file-name> md5-hash.txt # Display the output of md5-hast.txt $ catmd5-hash.txtfd4a1b802373c57c10c926eb7ac823d8 your-downloaded-file-name # Via md5- hash.txt to verify that the file you downloaded is correct $ md5sum -c md5-hash.txtyour-downloaded-file-name: OK
You are the publisher of the file, and you can send the hash value of the file to the authenticator by md5sum, so that the person who downloads your file can verify your file correctness by MD5 the hash value. In turn, after we download the file on the website, we can also get the publisher's MD5 hash value and the locally generated hash value comparison, if consistent, think the file is correct.
Principle: The principle is the same as MD5, is through the file hash evaluation, compared to the file publisher's hash value, by whether or not equal to determine whether the file is tampered with
Description: SHA1 Hash Evaluation method can be said to be an upgrade version of MD5 (SHA1 20-bit, MD5 16-bit), in the hash evaluation, MD5 exit stage will have SHA1 occupy. The SHA family has five algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, while the latter four are sometimes called SHA2
Use: CentOS has SHA1 commands:sha1sum
| #The description is the same as above # Direct output SHA1 Hash $ sha1sum your-downloaded-file-name12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name # Save the SHA1 Hash value to a file $ sha1sum your-downloaded-file-name> sha1-hash.txt # show the file Content $ catsha1-hash.txt12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name # Verify the file we downloaded by sha1-hash.txt your-downloaded-file-name # Note that the file must be known by the path in the txt file $ sha1sum -c sha1-hash.txtyour-downloaded-file-name: OK
This SHA1 and MD5 basically consistent, need to add the following is, in the use ofmd5sum, or whether or notsha1sum, when verifying the file, it is important to allow the system to find files according to the path provided in the file, if the file can not be found, there is no way to verify.
If you are doing multiple file hash check, you can save the hash value of multiple files by one file.
Principle: Using asymmetric encryption, the program generates a unique key pair (public key and private Key/secret key). Here's how it works:
- The publisher obtains the signature file (sign) by signing the file to be published by using the private key in the generated key pair;
- The publisher publishes the public key in the key pair to the public key server;
- The Publisher publishes the file together with the signature generated by the private key;
- The authenticator downloads the file and signature published by the publisher;
- The public key released by the publisher in the second step of the program obtained using PGP;
- Verifying file signatures with public keys
Note: In the signature algorithm, the key is used to encrypt information and verify the public key, and the private key is used for decryption and signing. The private key is in the information publisher, and the public key can be distributed arbitrarily. The information Publisher uses the key to sign the information, and after the receiver obtains the public key, it can use the public key to verify the information + signature issued by the publisher. If the validation fails, the information is considered to be tampered with. In the network, we often encounter the HTTPS protocol, using the same mechanism.
Use: Since PGP is a commercial application, in Centos/linux, the same function is GPG (i.e.: GnuPG), the same adherence to the OPENPGP Data Encryption Standard (RFC 4880), no installation can be used toyum install gnupginstall, the command is:gpg
|| Because the process is relatively complicated and there are many verifications in actual use, only the verification process of the file is introduced here. # When obtaining the file and signature, we first use gpg to verify the signature. At this time, the file must exist. $ Gpg --verify downloaded-file-sign.asc
Here are a number of cases, if you only signed, but the signature file does not exist (the system is not found, generally should be placed under the same directory), the return is:
|| gpg: can't hash datafile: No data
When you have a file, but there is no public key corresponding to the signature, GPG returns information similar to the following:
|| gpg: Signature created by CST on Monday, May 06, 2013 18:27:27 seconds, using RSA, key number 47ACDAFBgpg: Unable to check signature: No public key
Note: The above information is different from the information generated on different files and operating systems. But in the absence of a public key, you can find that GPG provides a key number for that signature: 47ACDAFB, this is the public key we need to find.
As mentioned above, the publisher has published the public key to the public key server for the authenticator to download, so we need to download the public key to the public key server, to download the public key, the key number is very important.
Available public key servers can view a list of commonly used key servers through the key server entry on Wikipedia. Use hkp://pgp.mit.edu here:
|| # Get the public key $ gpg --keyserver hkp: //pgp.mit.edu --recv-keys 47ACDAFBgpg: Download the key '47ACDAFB' from the hkp server pgp.mit.edugpg: key 47ACDAFB: the public key "Stephan Mueller <[email protected]>" has been imported into gpg: No absolutely trusted keys have been found gpg: Total number processed: 1gpg: Imported: 1
--recv-keys to use with--keyserver, after importing the key pair's public key, we are able to use this public key to validate our signature.
Run our previous verification command (GPG--verify sign-file) again to see the results of the validation.
|| #At this time, we verify our signature again, and we will get the verification result. RSA, key number 47ACDAFBgpg: Intact signature from "Stephan Mueller <[email protected]>" gpg: Warning: This key has not been authenticated by a trusted signature! gpg: There is no evidence that this signature belongs to its claimed holder. Master key fingerprint: B0F4 2D33 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8
To see this result, at least one result is confirmed: This file has not been tampered with.
In general, we are almost there by this step.
Note that there is a warning in the message stating that this is an untrusted signature authentication. Because this public key can be posted up, if you do need further authentication, you can also contact the real publisher before signing authentication, confirm the key information-fingerprint (fingerprint)! This is considered a weakness of the PGP algorithm.
If the signature is passed, you can build it in your own system and install it.
For more information about PGP, refer to the following Web site:
- Wikipedia PGP
- Ubuntu GPG/PGP
- Gnupg,howtos in the MINIHOWTO has a zh document, is Chinese
- Gentoo GnuPG
Verifying the integrity of downloaded files under Linux (MD5,SHA1,PGP)