multiple checksums for ISO file

konsultor · May 22, 2019, 8:37pm

Just downloaded openSUSE-Leap-15.1-DVD-x86_64.iso – twice. Both times

:~> sha256sum /home/konsultor/Downloads/LinuxFeatures/opensuse/openSUSE-Leap-15.1-DVD-x86_64.iso
c6d3ed19fe5cc25c4667bf0b46cc86aebcfbca3b0073aed0a288834600cb8b97  /home/konsultor/Downloads/LinuxFeatures/opensuse/openSUSE-Leap-15.1-DVD-x86_64.iso

The sha256 hash values are different at two places on the openSuse web site:

https://download.opensuse.org/distribution/leap/15.1/iso/openSUSE-Leap-15.1-NET-x86_64.iso?mirrorlist shows

SHA-256 Hash: 609d0ad527ab13681b44e28326cd7941e87adfe8d522e2b31d0d7c71e9d92992

https://software.opensuse.org/distributions/leap/15_1 shows
For extra security, you can use GPG to verify who signed those .sha256 files.
It should be **22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

**](https://download.opensuse.org/tumbleweed/repo/oss/gpg-pubkey-3dbdc284-53674dd4.asc)My SHA256 calculation is neither of these.

Has anyone seen this or have I missed something?
Thanks

paulparker · May 22, 2019, 10:05pm

Same result


paulparker@linux-dkbo:~> sha256sum    openSUSE-Leap-15.1-DVD-x86_64.iso
c6d3ed19fe5cc25c4667bf0b46cc86aebcfbca3b0073aed0a288834600cb8b97  openSUSE-Leap-15.1-DVD-x86_64.iso
paulparker@linux-dkbo:~>

Note the GPG relates to Tumbleweed
https://download.opensuse.org/tumbleweed/repo/oss/gpg-pubkey-3dbdc284-53674dd4.asc

When unplugged the USB then plugged it back in Tumbleweed changed with YaST2 showing


File System:



  - File System: ISO9660
  - Mount Point:
  - Label: openSUSE-Leap-15.1-DVD-x86_64470

Will now for sure when re boot to view results.

konsultor · May 22, 2019, 10:43pm

Thank you. Found the correct check sum on the web site.

nrickert · May 22, 2019, 10:55pm

konsultor:

Just downloaded openSUSE-Leap-15.1-DVD-x86_64.iso – twice. Both times

:~> sha256sum /home/konsultor/Downloads/LinuxFeatures/opensuse/openSUSE-Leap-15.1-DVD-x86_64.iso
c6d3ed19fe5cc25c4667bf0b46cc86aebcfbca3b0073aed0a288834600cb8b97  /home/konsultor/Downloads/LinuxFeatures/opensuse/openSUSE-Leap-15.1-DVD-x86_64.iso

That looks correct, and matches what I have.

The sha256 hash values are different at two places on the openSuse web site:

https://download.opensuse.org/distribution/leap/15.1/iso/openSUSE-Leap-15.1-NET-x86_64.iso?mirrorlist shows

SHA-256 Hash: 609d0ad527ab13681b44e28326cd7941e87adfe8d522e2b31d0d7c71e9d92992

That’s the checksum for the NET iso, rather than the DVD iso. You probably clicked the wrong spot.

For extra security, you can use GPG to verify who signed those .sha256 files.
It should be **22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
**](https://download.opensuse.org/tumbleweed/repo/oss/gpg-pubkey-3dbdc284-53674dd4.asc)

And that’s the fingerprint of the GPG key used to sign “.sha256” files. In this case, I’ll agree that the web page is confusing.

paulparker · May 22, 2019, 11:27pm

Am now happily using openSUSE Leap 15.1 GNOME 3.26.2

nrickert · May 23, 2019, 12:46am

I’m glad to hear that. Enjoy.