Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

How to verify a shasum

Sun Jun 09, 2013 6:36 pm

(Mildly off-topic, but interesting...)

Suppose I download something from the d/l section of this board. The board tells me what the "shasum" should be (call this "X"). I run "shasum" on the downloaded file and it gives me a big huge string.

I compare that big huge string to "X" by eyeball method. How can I be sure that it is the same?

I do "man shasum" and it says there is a "-c" (or "--check") option. Aha, says I! This is like md5sum, something with which I am quite familiar - I use the "-c" option there all the time.

But the syntax for shasum is opaque and there are no examples in the man page.

I try:

echo "X" | shasum -c newlydownloadedfile.zip

It outputs binary crap on my screen. I control/C it and hope it hasn't screwed up my terminal (the usual result of outputting binary crap in a Unix/Linux terminal window). Luckily, it has not done so (yet...)

So, what is the right syntax?

FWIW, I've taken to:

shasum -c newlydownloadedfile.zip | gawk '{print $1 == "X"}'

which works (prints "1" as output), but surely there is a better way...
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
joan
Posts: 14473
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: How to verify a shasum

Sun Jun 09, 2013 7:51 pm

Put the strings in file 1 and file 2 and do a diff?

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: How to verify a shasum

Sun Jun 09, 2013 8:37 pm

joan wrote:Put the strings in file 1 and file 2 and do a diff?
Obviously any number of hacky/kludgey ways, such as my AWK solution above.

But I assume there is a "built-in" way to do it, that uses the "-c" option, and works similarly to the way md5sum works.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

MrEngman
Posts: 3872
Joined: Fri Feb 03, 2012 2:17 pm
Location: Southampton, UK

Re: How to verify a shasum

Sun Jun 09, 2013 9:08 pm

use something like shahsum -c downloadedfile.sha1

And downloadedfile.sha1 contains the sha1 value followed by the filename to check.

e.g. NOOBS_v1_1.zip.sha1 for example contains

Code: Select all

ab69df2c48cf32abfb06934937ce3ebf249c278e  /home/pi/images/NOOBS_v1_1.zip
From what I understand the file may contain references to multiple files.

If all is OK you should see

Code: Select all

[email protected] ~ $ shasum -c NOOBS_v1_1.zip.sha1
/home/pi/images/NOOBS_v1_1.zip: OK
[email protected]rypi ~ $
MrEngman
Simplicity is a prerequisite for reliability. Edsger W. Dijkstra

Please post ALL technical questions on the forum. Please Do Not send private messages.

sprinkmeier
Posts: 410
Joined: Mon Feb 04, 2013 10:48 am
Contact: Website

Re: How to verify a shasum

Sun Jun 09, 2013 9:15 pm

Assuming you want to check the file foo you could use:

Code: Select all

$ echo "d...9  foo" | sha1sum --check
foo: OK
(note that you need 2 spaces between the checksum and the filename, hence the quotes)
I usually copy the checksum from the download page and do

Code: Select all

$ sha1sum foo ; echo da39...709
da39.....afd80709  foo
da39.....afd80709
which is easy enough to visually diff.

sha1sum's are cryptographic checkssums. if the input differs in the slightest then output will be totally different.
If someone does discover a way to force checksum collisions (or even get them mostly right) they're going to use their powers for good (instant fame) or evil (embezzling millions) but not mild mischief (haxoring Raspberry PIs).

That said it'd be nice if there were checksum files (or better yet signature files) available for download.
Given the number of Raspberry Pi gateways I imagine they'd be a tempting target, so sooner or later someone might try to distribute a trojaned image.

MrEngman
Posts: 3872
Joined: Fri Feb 03, 2012 2:17 pm
Location: Southampton, UK

Re: How to verify a shasum

Sun Jun 09, 2013 10:07 pm

sprinkmeier wrote:That said it'd be nice if there were checksum files (or better yet signature files) available for download.
Given the number of Raspberry Pi gateways I imagine they'd be a tempting target, so sooner or later someone might try to distribute a trojaned image.
Is this what you're looking for? On the download page, this one is for NOOBS, you will see:

"You will be redirected in 5 seconds. Don't want to wait? Use a Direct Link.

SHA-1 Checksum: ab69df2c48cf32abfb06934937ce3ebf249c278e

We reccomend that you verify the image with the SHA-1 checksum provided above. Instructions for this are Here."

It's not at all obvious but "SHA-1 Checksum:" is a pointer to a file you can use with shasum. It contains the sha1 and a pointer to the downloaded file. However, note you will need to edit it so it points to where you have downloaded your file to.


MrEngman
Simplicity is a prerequisite for reliability. Edsger W. Dijkstra

Please post ALL technical questions on the forum. Please Do Not send private messages.

sprinkmeier
Posts: 410
Joined: Mon Feb 04, 2013 10:48 am
Contact: Website

Re: How to verify a shasum

Sun Jun 09, 2013 11:10 pm

MrEngman wrote:
sprinkmeier wrote:That said it'd be nice if there were checksum files (or better yet signature files) available for download.
...
Is this what you're looking for?
...
It's not at all obvious but "SHA-1 Checksum:" is a pointer to a file you can use with shasum.
yup... that'd be a checksum file :-)
Being slightly on the paranoid side I'd like a signature as well. And a Pony!

erikcf
Posts: 19
Joined: Thu May 23, 2013 4:17 am

Re: How to verify a shasum

Sun Jun 09, 2013 11:19 pm

Usually I just use shasum and copy the SHA-1 from the output on the terminal, then open up the web browser's find command on the page with the SHA-1 and paste in the one that was calculated. It will only find an exact match, so if it finds it then the one you pasted matches the SHA-1 that the find command found on the page.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: How to verify a shasum

Sun Jun 09, 2013 11:39 pm

Again, the point is to avoid all those hacky-kludgey ways of doing the "visual compare". As I said, my AWK solutions works fine, but is awfully hacky-kludgey.

I think the winner is to click on the download page (as suggested above, it isn't obvious, but I guess it works) and get the SHA text file from the download page.

Thanks!
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

erikcf
Posts: 19
Joined: Thu May 23, 2013 4:17 am

Re: How to verify a shasum

Mon Jun 10, 2013 12:25 am

Technically it is not a visual compare the way I suggested, and unless you download the SHA-1 in a file, you are still copying and pasting something anyway. If you aren't doing a batch compare of SHA-1 hashes using such a file, the method I suggested is still a quick and effective way to do it.

Anyway, if you just want a command to calculate and verify a single SHA-1 without needing that file, sprinkmeier is on the right track. However, usually you probably want binary for the file mode rather than text unless you are using it on a text file that has had a line-ending conversion performed on it. In the format sprinkmeier mentioned, the second space actually indicates text mode. To specify binary, use an asterisk instead. For example:

Code: Select all

echo 'ab69df2c48cf32abfb06934937ce3ebf249c278e *NOOBS_v1_1.zip' | shasum -c
I'm not certain where the distinction between binary and text mode matters, however. Maybe only on a native Windows version of the shasum tools. On the versions I have (Cygwin with line-ending auto-conversions not enabled and Linux), it does not seem to make any difference, even if getting the SHA-1 of a text file either in Windows or UNIX format.

By the way, I'm aware of that the SHA-1 files for the downloads here indicate text mode, but they were very likely generated on a platform that doesn't care.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: How to verify a shasum

Mon Jun 10, 2013 12:48 am

By the way, I'm aware of that the SHA-1 files for the downloads here indicate text mode, but they were very likely generated on a platform that doesn't care.
Correct (on all counts). As long as everything is Unix (any variation thereof), text == binary
and binary == text.

Note: I use Windows for the things Windows is good at and Unix (in whatever flavor) for the things Unix is good at. Calculating and verifying checksums is definitely in the later category.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Return to “Beginners”