Checksum Fail – Fedora 29 or spin KDE Plasma

2

I tried checksum Fedora Workstation 29 and Fedora KDE Plasma but it's always fail. Am I doing something wrong, is the tutorial incomplete or the file in the server is corrupted?

Details:

I use Windows -> commands in Powershell:

FOR KDE:

$image = "Fedora-KDE-Live-x86_64-29-1.2.iso"
$checksum_file = ""Fedora-Spins-29-1.2-x86_64-CHECKSUM"
$sha256 = New-Object -TypeName System.Security.Cryptography.sha256CryptoServiceProvider $expected_checksum = ((Get-Content $checksum_file | Select-String -Pattern $image) -split " ")[0].ToLower()

$download_checksum = [System.BitConverter]::ToString($sha256.ComputeHash([System.IO.File]::ReadAllBytes("$PWD\$image"))).ToLower() -replace '-', ''

echo "Download Checksum: $download_checksum"
Download Checksum: 5f7103a79e705bc1be95b7a2350b82cae857196542396cec0e3e7dfd7d16815a
echo "Expected Checksum: $expected_checksum"
Expected Checksum: #
if ( $download_checksum -eq "$expected_checksum" ) { echo "Checksum test passed!" } else { echo "Checksum test failed." }
Checksum test failed.

For workstation:

$image = "Fedora-Workstation-Live-x86_64-29-1.2.iso"
$checksum_file = "Fedora-Workstation-29-1.2-x86_64-CHECKSUM"
$sha256 = New-Object -TypeName System.Security.Cryptography.sha256CryptoServiceProvider
$expected_checksum = ((Get-Content $checksum_file | Select-String -Pattern $image) -split " ")[0].ToLower()

$download_checksum = [System.BitConverter]::ToString($sha256.ComputeHash([System.IO.File]::ReadAllBytes("$PWD\$image"))).ToLower() -replace '-', ''

echo "Download Checksum: $download_checksum"
Download Checksum: 653cc283749100e9b46625d23938ff890ae29482bef142f5a0f99c5a5ddc03e9
echo "Expected Checksum: $expected_checksum"
Expected Checksum: #
if ( $download_checksum -eq "$expected_checksum" ) {echo "Checksum test passed!"} else {echo "Checksum test failed."}
Checksum test failed.

spCl

Posted 2019-03-31T19:08:38.437

Reputation: 23

Answers

1

EDIT: This answer was written assuming the iso checking was being conducted in Linux. It turns out it was in Windows. So the local download directory is probably different from what I mention (just substitute your actual download directory), and Windows may not come bundled with a checksum utility.

Free checksum utilities are readily available. I've been away from Windows for awhile, but just Google "windows sha256 checksum" and there are tons of links and recommendations. These are simple utilities, so even old recommendations are likely to be fine. You don't need anything fancy; anything that runs in your version of Windows and calculates the sha256 hash. So your windows command may be different from what I show below; just follow the simple instructions for the utility you use.

Every once in awhile, I run into the same problem, where an iso checksum doesn't match. It seems to happen with some frequency with Fedora. What I've discovered is that while many distros have made the checking procedure bulletproof (virtually no chance of getting a corrupt or tampered-with iso), they've introduced multiple potential points of failure for good isos. That appears to be the case here. The convoluted procedure is failing for a good iso.

Just as background, the checksum lets you verify that the iso isn't corrupted. Until recently, distros just provided the checksum so you could verify that you downloaded a good iso. However, it's possible for the iso to be tampered with, and the checksum file to also be tampered with. So some of the distros have instituted somewhat convoluted procedures that enable you to have good assurance that the checksum you compare the iso to hasn't been tampered with.

It is difficult to do this kind of "undetectable" tampering even to files without these safeguards. Recurring verifications make any such tampering quickly discoverable, and the existence of the new procedures discourage hackers from even trying. So I stopped messing with the problem-prone procedures and just directly compare the iso checksum to the published value the old way. (So I'm only 99.999% protected from vandalism instead of 99.999999999%; I live life on the wild side.)

The published checksums are in a file in the same repository as the iso. When you download the iso, Fedora takes you to a page with a download link for the checksum file, and the file should already now be in your download directory.

The procedure you followed has already extracted the published checksum values, which are shown in your question. I just tested KDE, whose checksum begins 5f7103a... You can verify the workstation iso for yourself.

Just open a terminal and navigate to your Downloads directory (that's typically the default download location). If it is, and your terminal opens by default to your Home directory, just enter: 

cd Downloads

(Note the capitalization). To verify that's where the download is, type: 

dir *.iso

and you should see it.

Different distros use different checksums. The Fedora ones are sha256. You can generate the checksum with a built-in command: 

sha256sum *.iso

It will take a minute for it to process the file, and it will display the checksum value. Compare that to the published value for the same iso. If they match, the chance that you downloaded a corrupted iso are infinitesimal. The chance that you downloaded a vandalized iso with faked checksum (and that it wasn't already caught if it happened), are vanishingly small.

fixer1234

Posted 2019-03-31T19:08:38.437

Reputation: 24 254

Hi! Thanks very much for your detailed answer! I tried using the command above (sha256sum) in the powershell of Windows but I have an error 'CommandNotFoundException'. By the way, I just had an answer in Fedora's forum which was also useful and I could finally do the checking procedure. I'll leave the link: [link]https://ask.fedoraproject.org/en/question/134513/checksum-fail-fedora-29-or-spin-kde-plasma. They had outdated instructions in Fedora's docs, the correct script is: $expected_checksum = ((Get-Content $checksum_file | Select-String -Pattern $image) -split ") = ")[2].ToLower()

– spCl – 2019-04-01T11:55:52.173

@spCl, I assumed from the question and tags that you were doing this in Linux. Windows may not come bundled with the checksum utility (and the iso download is probably to a different directory). But free checksum utilities are readily available. This link on the Fedora site covers some, but looks a bit dated. (cont'd)

– fixer1234 – 2019-04-01T12:19:35.343

There's an old thread here that asked about Win 7, but includes some relatively recent updates. But a Google search should show currently available utilities, like here (which is just the first one that came up in Google). Even if the utility is old, as long as it can calculate the sha256 hash and runs in your version of Windows, that's all you need. These utilities are pretty simple, so even ancient ones are likely to run in any version of Windows.

– fixer1234 – 2019-04-01T12:20:26.917

But if you got the official instructions to work, that's even better. :-) – fixer1234 – 2019-04-01T12:22:59.003

Thank you, you were really nice to answer my question with a lot of info! I hope it will be useful for others, too! :) – spCl – 2019-04-03T19:47:35.687

Asked: 2019-03-31T19:08:38.437

Viewed: 158 times

Active: 2019-04-01T12:38:46.083