Checking checksums for download integrity

I was just running an update to Fedora using the superb dnf command. For the first time ever I noticed it caught a checksum error (on the kernel packages, no less!) and did a re-download automatically. Quite impressive, though a little surprised it was using md5 rather than SHA-256.

When doing a manual initial download (of an .iso for a distro, for example), I do like to quickly run the checksum, which I think is standard practice to include for most Linux projects, so that it can be checked.

I am curious how often other users do this if it has to be done manually, not just for .isos but for other manual installations too, that might occasionally be used, not from repos? Feedback appreciated, with thanks.

1 Like

I usually do this when there is a hash provided to check.

4 Likes

Ouch. Yes, I think that’s just the thing, sometimes it won’t match; it’s definitely worth checking in my opinion.

2 Likes

It happened to Linux Mint a while ago. I always check ISOs because sometimes it just downloads wrong and it saves a lot of headache with the live disc or the installed OS if it happened to do that.

1 Like

Very true. I imagine a buggy install, probably.

If there’s a checksum I usually will though it’s great for things I need to depend on like a distro image.

They’re not really for security because they can’t prove if the Website was hacked but they can prove if the company repo is giving you something the Website doesn’t know about which is an indicator.

If i’m feeling extra spicy I sometimes download the file on a remote server and my local machine to see if the checksums match because I like to LARP as someone who’s important enough to target.

2 Likes

Mmmhmm. Man-in-the-middle is exactly what they’re to detect, far as I’ve understood it!

1 Like

:slight_smile: This is an interesting experiment – I hope you found everything was as it should be!

I haven’t had someone try to play along with my LARP yet. One day they wont match and i’ll be vindicated!

1 Like

Good point. I’m sort of relying on HTTPS there and I mainline always-on ProtonVPN but I don’t know how vulnerable https is to being MIIMed.

1 Like