UbuntuHelp:HowToSHA256SUM
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits). SHA-256 hashes used properly can confirm both file integrity and authenticity. SHA-256 serves a similar purpose to a prior algorithm recommended by Ubuntu, MD5, but is less vulnerable to attack. Comparing hashes makes it possible to detect changes in files that would cause errors. The possibility of changes (errors) is proportional to the size of the file; the possibility of errors increase as the file becomes larger. It is a very good idea to run an SHA-256 hash comparison check when you have a file like an operating system install CD that has to be 100% correct. In terms of security, cryptographic hashes such as SHA-256 allow for authentication of data obtained from insecure mirrors. The SHA-256 hash must be signed or come from a secure source (such as a HTTPS page or a GPG-signed file) of an organization you trust. See the SHA256 file for the release you're using under http://releases.ubuntu.com, such as http://cdimage.ubuntu.com/daily-live/current/SHA256SUMS . You should verify this file using the PGP signature, SHA256SUMS.gpg (such as http://cdimage.ubuntu.com/daily-live/current/SHA256SUMS.gpg ). You could avoid the signature verification step if you relied on SHA-256 hashes learned from UbuntuHashes (a secure unmodifiable page). However, as of December 2009 this page does not include such hashes.
目录
sha256
<<Anchor(linux)>>
sha256sum on Linux
Most Linux distributions come with the sha256sum utility (on Ubuntu it is part of the coreutils package). We are going to use the Ubuntu 9.10 LiveDVD for the following example:
Check the iso file
Manual method
First open a terminal and go to the correct directory to check a downloaded iso file:
cd download_directory
Then run the following command from within the download directory.
sha256sum ubuntu-9.10-dvd-i386.iso
sha256sum should then print out a single line after calculating the hash:
c01b39c7a35ccc3b081a3e83d2c71fa9a767ebfeb45c69f08e17dfe3ef375a7b *ubuntu-9.10-dvd-i386.iso
Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash in the SHA256SUMS file.
#!wiki comment Currently, there aren't SHA256 hashes there. An easy way to do this is to open the UbuntuHashes page in your browser, then copy the hash your machine calculated from the terminal into the "Find" box in your browser (in Firefox you can open the "Find" box by pressing <Ctrl> <F>).
When both hashes match exactly then the downloaded file is almost certainly intact. If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please be kind and notify the webmaster of that mirror so they can investigate the issue.
Semi-automatic method
Ubuntu distributes the SHA256 hashes in a file called SHA256SUMS near the bottom of the download page for your release http://releases.ubuntu.com. First download the SHA256SUMS and SHA256SUMS.gpg files to the same directory as the iso. Then run the following commands in a terminal.
cd download_directory gpg --verify SHA256SUMS.gpg SHA256SUMS sha256sum -c SHA256SUMS 2>&1 | grep OK
The gpg command will check the file and signature to ensure the hash file is intact and was actually issued by Ubuntu. It may automatically download Ubuntu's key, and should then output several lines, including:
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <[email protected]>"
The sha256sum line should output a line such as:
ubuntu-9.10-dvd-i386.iso: OK
If the OK for your file appears, that indicates the hash matches.
Success?
Once you have verified the sha256 hash, go ahead and burn the CD. You may want to refer to the BurningIsoHowto page.
Check the CD
So far so good, you have downloaded an iso and verified its integrity. When you boot from the CD you will be given the option to test its integrity. Great, but if the CD is corrupt then you have already wasted time rebooting. You can check the integrity of the CD without rebooting as follows.
Manual method
sha256sum /dev/cdrom
Check the calculated hash against UbuntuHashes as shown for the iso file above. Depending on your system, you may need to change cdrom to cdrom0 (or even cdrom1 if you have two CD drives).
Success?
Congratulations, you now have a verified Ubuntu CD. Go ahead and use it (or play frisbee with it if you want).
#!wiki comment = MD5SUM on Mac OS X = This should be updated by someone with access to a Mac. There are three methods of using '''md5sumsum''' on an OS X machine. Method 1 - The easiest (if '''MD5''' is available) is using the Disk Utility program (Applications > Utilities, or by choosing "Utilities" from the Finder's "Go" menu). Open Disk Utility and wait for it to gather information about your disks. Go to the directory where you downloaded the Ubuntu disk image, and drag it to Disk Utility's dock icon (displays on the left-hand side of Disk Utility, underneath your physical drives). Select the iso file. Go to the "Images" menu and select Checksum > MD5. Be sure to choose "MD5" and NOT "MD5 image checksum" or "CRC-32 image checksum", as they are not the same and will give you different results. Method 2 - If '''MD5''' is not available in the Images > Checksum menu, open a terminal window (Applications > Utilities > Terminal.app). Type "md5", type a space, drag the iso file into the terminal window (appends command with iso file path), and press Enter. The command line returns the hash number. Method 3 - You can use the Terminal.app and follow the instructions for [[#linux|SHA256SUM on Linux]], except use the command "openssl md5" instead of "sha256sum". Each method returns a hash number. Compare the hash number with the corresponding hash on the UbuntuHashes page. When both hashes match exactly, then the downloaded file is almost certainly intact. If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please notify the webmaster of that mirror so they can investigate the issue.
digest(1) on Solaris
Use the Solaris digest(1) command, specifying the sha256 algorithm with the -a flag. For instance:
$ digest -a sha256 ubuntu-9.10-dvd-i386.iso c01b39c7a35ccc3b081a3e83d2c71fa9a767ebfeb45c69f08e17dfe3ef375a7b
#!wiki comment = SHA256SUM on Windows = This section also needs to be updated. Is there a sha256sum.exe file distributed by a reliable source? Is there a good GUI? Windows does not come with '''''sha256sum'''''. You must download one from another location, preferably one that you trust. There are command line utilities that work similarly to the Unix utility; one public domain version with source is available from [[http://www.fourmilab.ch/md5/|Fourmilab]], but the version available from [[http://cygwin.com/|Cygwin]] is probably easier to install and update, and Cygwin is also recommended and trusted as the source for many more Unixy utilities. Once installed, Cygwin's '''''sha256sum''''' behaves exactly as described in '''''SHA256SUM on Linux''''' above. There are also graphical tools such as the one used in the walk-through provided below. 1. Download and install [[http://www.nullriver.com/index/products/winsha256sum|winSha256sum]], a free and open source hash verification program. 1. Right-click the ISO file. 1. Click Send To, then `winSha256sum`. 1. Wait for `winSha256sum` to load and finish the checksum (this may take a significant amount of time depending on your computer's performance). 1. Copy the corresponding hash from UbuntuHashes into the bottom text box. 1. Click "Compare" 1. A message box will say "MD5 Check Sums are the same" if the hashes are equal.
#!wiki comment
= SHA256SUM on CD =
I don't know if there is now a sha256sum.txt file on the CD.
To see if your Ubuntu CD was corrupted when burned to the disk, see the [[CDIntegrityCheck]] page, or follow the instructions below.
First mount the CD, if not already mounted:
{{{
sudo mount /dev/hda /cdrom
#!wiki comment
Then use the supplied sha256sum file on the CD:
{{{
cd /cdrom
sha256sum -c sha256sum.txt | grep -vi 'OK$'
#!wiki comment
Be patient, it takes some time. If the command outputs any errors, you'll know that either the burn was bad or the .iso is corrupt. Please note that this method does not verify authenticity unless the hash of the iso file is compared to the hash at the secure UbuntuHashes page.
Finally, you can unmount the CD after leaving the folder:
{{{
cd /
sudo umount /dev/hda
SHA256SUM of burnt media
Depending on how you burn your ISOs you can check the burnt media directly. Start by checking that the ISO file is correct:
$ grep ubuntu-9.10-dvd-i386.iso SHA256SUMS | tee /proc/self/fd/2 | sha256sum --check - c01b39c7a35ccc3b081a3e83d2c71fa9a767ebfeb45c69f08e17dfe3ef375a7b *ubuntu-9.10-dvd-i386.iso ubuntu-9.10-dvd-i386.iso: OK
Now burn it from Nautilus (right-click, "Write to Disc ..."). To check the media directly:
$ sha256sum /dev/cdrom c01b39c7a35ccc3b081a3e83d2c71fa9a767ebfeb45c69f08e17dfe3ef375a7b /dev/cdrom
where "/dev/cdrom" is typically a soft-link to your CD/DVD reader/burner. Note that the checksum matches.
