Thanks for the answer. I followed the steps at the download page before. I also got the checksum file as one can see above. I just don’t know where I can compare the checksum to. Or do I have to compare it to the DNS Open PGP Key?
This sounds like you didn’t used the command-line for steps 1–3 from Fedora keeps you safe . If you can’t/won’t use the command-line, gtkhash should do the job.
You need to open a terminal to run step 4 on the command line. The -c option passed to sha256sum tells sha256sum to compute the checksum and compare it to the value in Fedora-Workstation-38-1.6-x86_64-CHECKSUM.
This is step 3:
xxx@Mac-xxx ~ % gpgv --keyring ./fedora.gpg /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
gpgv: Signature made vr 14 apr 09:59:35 2023 CEST
gpgv: using RSA key 6A51BBABBA3D5467B6171221809A8D7CEB10B464
gpgv: Good signature from "Fedora (38) fedora-38-primary@fedoraproject.org”
This is step 4:
xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
bf5dca7186e3518ba90c3da270da36a8d9358bb10130200e8da1bdef97f1bf31 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
And then I did step 4 again, but with the checksum AND the ISO file.
xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso
bf5dca7186e3518ba90c3da270da36a8d9358bb10130200e8da1bdef97f1bf31 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
I hope I did it right in this way.
The numbers of the ISO file and the checksum are different. If I did everything right in step 4, I presume the ISO-file is not safe to use. Am I right here?
The correct hash is stored inside the checksum file in text format.
You can verify the calculated hash manually by reading the content of the checksum file.
Or just use the linked above instructions to perform automatic verification.
The important part is the-c option which is for checking. Without it it would just create a new SHECKSUM file.
Example
$ sha256sum -c Fedora-Spins-38-1.6-x86_64-CHECKSUM
sha256sum: Fedora-Budgie-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Budgie-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-Cinnamon-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Cinnamon-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-KDE-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-KDE-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-LXDE-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-LXDE-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-LXQt-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-LXQt-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-MATE_Compiz-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-MATE_Compiz-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-SoaS-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-SoaS-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-Sway-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Sway-Live-x86_64-38-1.6.iso: FAILED open or read
Fedora-Xfce-Live-x86_64-38-1.6.iso: OK
sha256sum: Fedora-i3-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-i3-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: WARNING: 17 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read
I don’t know, it seems to me the instruction is not clear (enough). In the meanwhile I downloaded another ISO and did the same as I showed above. The outcome was the same, which means that the shasum of the second ISO also differs from the shasum of the checksum file.
Hi Mario, you are calculating the checksum of the CHECKSUM file itself, instead of using the checksums in the CHECKSUM file to verify another file (the ISO). The -c option in the instructions is important and can’t be ignored.
However, you can also manually read the contents of the CHECKSUM file as Vladislav mentioned. You already calculated the checksum of the ISO here:
xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso
So you know the ISO has a SHA256 checksum of 7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992
Now compare it with the contents of the CHECKSUM file by opening it in a text editor. I will show it here, but you should do it on your own too:
Visually checking it is hard, so the better way is to copy the checksum that you calculated from the terminal, then use the text editor’s Search feature and paste it in the search field. It should be an exact match.
If doing it that way the command would be shasum -a 256 -c *.CHECKSUM so it reads the checksum file and compares the ISO to the value noted within that file.
This command didn’t work out:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
shasum: standard input: no properly formatted SHA1 checksum lines found
In this way it seems to be working:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 */Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
/Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM: FAILED shasum: WARNING: 1 computed checksum did NOT match
I replaced the * once with ? and once with ^ and got the same output. I guess I should download another copy of the ISO, compare the checksum again and hope for a good outcome.
This attempt did not work out:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
shasum: standard input: no properly formatted SHA1 checksum lines found
In this way, it seems to be working:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 */Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
/Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM: FAILED shasum: WARNING: 1 computed checksum did NOT match
Although the attempt dit not result in a match. I think I should just download another copy of the ISO and hope for a checksum-match.
