How do you use sha256 to confirm download?

pblewis · November 13, 2015, 5:16pm

I have downloaded Leap 42.1 both the .iso and the .iso.sha256 file.
I then ran:
sha256sum openSUSE-Leap-42.1-DVD-x86_64.iso
which produced:
d6e0bbc91611932f76d13d4e6ed8b02c423ced969fbd00d432acd0a33e2b096e openSUSE-Leap-42.1-DVD-x86_64.iso

The contents of the .iso.sha256 file has in it:
Hash: SHA256

8576e84822cdbe566bf551e28a169fc028229831eba9f07a4c1f84302c5ddb09 openSUSE-Leap-42.1-DVD-x86_64.iso

which is not the same.

What am I doing wrong please? I have tried twice.

malcolmlewis · November 13, 2015, 5:40pm

Hi
You use the sha file to check the iso image (make sure both iso and sha file in same place);


sha256sum -c <somefile>.sha256

It should say ‘OK’ is all good;

nrickert · November 13, 2015, 6:36pm

Actually, it also says something like “16 lines badly formatted”. People should ignore that, and look for the “Okay” on the file that they wanted to check.

pblewis · November 15, 2015, 10:41am

Problem resolved with confirmation that it all works.
The file I loaded direct had 12,242 errors but the amazing thing is that I did direct download twice and they both had the same errors!
I used the Downthemall tool with the meta link and asked it to correct the downloaded file.
I was then able to use the
sha256sum -c openSUSE-Leap-42.1-DVD-x86_64.iso.sha256
command to verify the file.
I used the command:
gpg2 --verify openSUSE-Leap-42.1-DVD-x86_64.iso.sha256
which reported that it did not know the key used so I added the key to my keyring:
gpg --keyserver wwwkeys.pgp.net --recv-keys 3DBDC284
where 3DBDC284 was returned by the previous --verify. Then running:
gpg2 --verify openSUSE-Leap-42.1-DVD-x86_64.iso.sha256
which returned:
gpg: Signature made Fri 30 Oct 2015 10:30:57 GMT using RSA key ID 3DBDC284
gpg: Good signature from “openSUSE Project Signing Key <opensuse@opensuse.org>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

The conclusion from all this is that one has to verify any new images with the checksum hash and the file should be downloaded with a tool that can repair any download errors.

Thanks for your responses.

Bloggs_J · January 10, 2016, 1:50pm

Unfortunately a lot is left unexplained: Other people consistently obtain the identical bad SHA256 checksum that you obtained.
This level of coincidence is baffling so I would be very interested if anyone can explain it.

malcolmlewis · January 10, 2016, 5:54pm

Hi
Bad mirrors come and go, low priority syncs (see mirror list). I always hit the pick a mirror, select one in my locale and then use wget -c only for dragging in images.

Mirrors are third party controlled, so if one is spotted then the mirror admins need to be contacted to fix.