Ubuntu uses SHA256 to verify instances of iso image integrity

In the Ubuntu system, it is best to check the integrity of the downloaded files (see How the System Home detects the integrity of downloaded files on the Linux system). Today, Xiaobian wants to introduce you how to use SHA256 to test iso. Mirror the integrity, let's get to know it.

In the case of Ubuntu release, Canonical provides school experience file (such as MD5SUM, SHA1SUMS and SHA256SUMS) for verification using several. In this example we use SHA256SUMS.

First, download the following two files.

$ wget http://releases.ubuntu.com/14.10/SHA256SUMS

$ wget http://releases.ubuntu.com/14.10/SHA256SUMS.gpg

The first file is the SHA256 exam file for the ISO image, and the second file (*.gpg) is the signature for the exam file. The purpose of the second document is to verify the validity of the exam document itself.

We verify the validity of the SHA256SUMS file by running the following command.

$ gpg --verify SHA256SUMS.gpg SHA256SUMS

gpg:Signature made Thu23Oct201409:36:00 AM EDT using DSA key ID FBB75451

gpg:Can‘t check signature : public key not found

If you get the above error message, it is because you have not imported the public key that generated the signature. So we now import the required public key.

Before doing this, you need to know the public key's “key ID”, which is shown in the output of the gpg command above. In this example, the key ID is “FBB75451”. Run the following command to import the public key from the official Ubuntu key server. Before //keyserver.ubuntu.com --recv-keys FBB75451

Now that the public key has been imported, we can go ahead and re-run:

$ gpg --keyserver hkp The command to verify the signature.

gpg --verify SHA256SUMS.gpg SHA256SUMS

This time you do not see the & ldquo; public key not found & rdquo; error message. If the SHA256SUMS file is valid, you will see the information for “Good signature from ”. Notice that you also see a warning message for “This key is not certified with a trusted signature”. Basically this warning message tells you that there is no explicit trust in the imported public key. To avoid this warning, you can choose to specify the public key that is fully trusted for import, but you should only do this after reviewing the key by other means. Otherwise, you can ignore this warning for now.

After verifying the integrity of the SHA256SUMS file, the final step is to compare the corresponding calibration values ​​in the SHA256 exam and SHA256SUMS files of the downloaded ISO file. You can do this with the sha256sum command line tool.

For convenience, the following line of commands compares the SHA256 checksum and reports the results.

$ sha256sum -c "(grep ubuntu-14.10-desktop-amd64.iso SHA256SUMS)

ubuntu-14.10-desktop-amd64.iso: OK

If you look The output information above is displayed, which indicates that the two calibration values ​​match. The integrity of the downloaded ISO image is thus successfully verified.

The above is the way Ubuntu uses SHA256 to detect the integrity of the iso image. If the iso image is incomplete, it will cause unnecessary trouble when used. The iso image is usually larger, and the comparison will be compared. it is good.