14 June 2019

Do you check the checksum's of downloaded files?

It's usually unnecessary, but always recommended. Let's say you download CloneZilla and they've provided their file for download from a website like SourceForge. There's always a slight chance that some hacker/attacker could've altered the file, added some malware to it and replaced the file on SourceForge.

But you can check whether it's the original file that CloneZilla had uploaded to SourceForge, using the checksum.

I had downloaded clonezilla-live-20190420-disco-amd64.iso which had the MD5 checksum: 981841de868ccc0c927dea9ace9460fa as shown on the CloneZilla website.

Now to verify the file I just opened up a terminal and typed
md5sum clonezilla-live-20190420-disco-amd64.iso.

The output was:
981841de868ccc0c927dea9ace9460fa  clonezilla-live-20190420-disco-amd64.iso

A perfect match! It's that simple.
 
If it's SHA 256, do this (it was for verifying the Android studio download): 
sha256sum android-studio-ide-193.6626763-linux.tar.gz

 
Update May 2022: 
The Ubuntu team showed us a new way of verifying the checksum:
echo "b85286d9855f549ed9895763519f6a295a7698fb9c5c5345811b3eefadfb6f07 *ubuntu-22.04-desktop-amd64.iso" | shasum -a 256 --check

If it's verified correctly, it shows the following output:
ubuntu-22.04-desktop-amd64.iso: OK

Even if you download from a mirror, it should show the same checksum. That way you know the image on the mirror was not tampered with.

No comments: