Where to find the checksum for Fedora 38 and some other questions

Hi all, I’m quite new to this so my questions are more in the ‘newbie’ categorie.

  1. Checksum
    I did the gpg-part, but I just can’t find the checksum of Fedora 38 to compare with the checksum I got via the shasum-check:

bf5dca7186e3518ba90c3da270da36a8d9358bb10130200e8da1bdef97f1bf31 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM.

Where can I find the checksum and find out if this one is ok?

  1. ISO.
    I presume the gpg-part and checking the checksum is enough to be sure the ISO is ok?

  2. Does FedoraMediaWriter also need a gpg and checksum check?

Thanks for helping me out.

Here are the instructions to verify the image:

You can get the checksum file from the download page.

Thanks for the answer. I followed the steps at the download page before. I also got the checksum file as one can see above. I just don’t know where I can compare the checksum to. Or do I have to compare it to the DNS Open PGP Key?

The commands linked above help you achieve the following:

  • Verify the signature of the checksum file against the Fedora’s public GPG key.
  • Calculate the hash of the image file and verify it against the checksum file.
1 Like

This sounds like you didn’t used the command-line for steps 1–3 from Fedora keeps you safe . If you can’t/won’t use the command-line, gtkhash should do the job.

You need to open a terminal to run step 4 on the command line. The -c option passed to sha256sum tells sha256sum to compute the checksum and compare it to the value in Fedora-Workstation-38-1.6-x86_64-CHECKSUM.


From https://fedoraproject.org/workstation/download/

Click on the check-mark next to the download link and that would lead you to the checksum file

Where it says

 Download the checksum file into the same directory as the image you downloaded.

click on the “checksum file” to download it.


Fedora Media Writer does all the checking for you, if you download the images through it.


Thanks again!

I did the steps on Fedora keeps you safe.

This is step 3:
xxx@Mac-xxx ~ % gpgv --keyring ./fedora.gpg /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
gpgv: Signature made vr 14 apr 09:59:35 2023 CEST
gpgv: using RSA key 6A51BBABBA3D5467B6171221809A8D7CEB10B464
gpgv: Good signature from "Fedora (38) fedora-38-primary@fedoraproject.org

This is step 4:
xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
bf5dca7186e3518ba90c3da270da36a8d9358bb10130200e8da1bdef97f1bf31 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM

And then I did step 4 again, but with the checksum AND the ISO file.
xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso
bf5dca7186e3518ba90c3da270da36a8d9358bb10130200e8da1bdef97f1bf31 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM

I hope I did it right in this way.

The numbers of the ISO file and the checksum are different. If I did everything right in step 4, I presume the ISO-file is not safe to use. Am I right here?

1 Like

The correct hash is stored inside the checksum file in text format.
You can verify the calculated hash manually by reading the content of the checksum file.
Or just use the linked above instructions to perform automatic verification.

Step 4 was

sha256sum -c *-CHECKSUM

The important part is the-c option which is for checking. Without it it would just create a new SHECKSUM file.


$ sha256sum -c Fedora-Spins-38-1.6-x86_64-CHECKSUM
sha256sum: Fedora-Budgie-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Budgie-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-Cinnamon-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Cinnamon-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-KDE-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-KDE-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-LXDE-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-LXDE-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-LXQt-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-LXQt-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-MATE_Compiz-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-MATE_Compiz-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-SoaS-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-SoaS-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: Fedora-Sway-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-Sway-Live-x86_64-38-1.6.iso: FAILED open or read
Fedora-Xfce-Live-x86_64-38-1.6.iso: OK
sha256sum: Fedora-i3-Live-x86_64-38-1.6.iso: No such file or directory
Fedora-i3-Live-x86_64-38-1.6.iso: FAILED open or read
sha256sum: WARNING: 17 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read
1 Like

Hi, tnx. The sha256sum command doesn’t work on a mac. So, that’s why I used ‘shasum -a 256’.

I don’t know, it seems to me the instruction is not clear (enough). In the meanwhile I downloaded another ISO and did the same as I showed above. The outcome was the same, which means that the shasum of the second ISO also differs from the shasum of the checksum file.

With the “-c” option as well?

From https://ss64.com/osx/shasum.html

 -c, --check        Check SHA sums against given list
1 Like

Hi Mario, you are calculating the checksum of the CHECKSUM file itself, instead of using the checksums in the CHECKSUM file to verify another file (the ISO). The -c option in the instructions is important and can’t be ignored.

However, you can also manually read the contents of the CHECKSUM file as Vladislav mentioned. You already calculated the checksum of the ISO here:

xxx@Mac-xxx ~ % shasum -a 256 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM
7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-Live-x86_64-38-1.6.iso

So you know the ISO has a SHA256 checksum of 7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992

Now compare it with the contents of the CHECKSUM file by opening it in a text editor. I will show it here, but you should do it on your own too:

# Fedora-Workstation-Live-x86_64-38-1.6.iso: 2099451904 bytes
SHA256 (Fedora-Workstation-Live-x86_64-38-1.6.iso) = 7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992

Visually checking it is hard, so the better way is to copy the checksum that you calculated from the terminal, then use the text editor’s Search feature and paste it in the search field. It should be an exact match.


There are GUI checksum apps for MacOS, One is https://www.quickhash-gui.org/

1 Like

If doing it that way the command would be shasum -a 256 -c *.CHECKSUM so it reads the checksum file and compares the ISO to the value noted within that file.

1 Like

Hi all, tnx a lot.

I just did the following.

This command didn’t work out:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
shasum: standard input: no properly formatted SHA1 checksum lines found

In this way it seems to be working:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 */Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
/Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM: FAILED shasum: WARNING: 1 computed checksum did NOT match

I replaced the * once with ? and once with ^ and got the same output. I guess I should download another copy of the ISO, compare the checksum again and hope for a good outcome.

Hi all, tnx a lot!

I just did this:

This attempt did not work out:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 /Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
shasum: standard input: no properly formatted SHA1 checksum lines found

In this way, it seems to be working:
xxx@Mac-xxx ~ % shasum -a 256 -c <<< ‘7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 */Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM’
/Users/xxx/Downloads/Fedora-Workstation-38-1.6-x86_64-CHECKSUM: FAILED
shasum: WARNING: 1 computed checksum did NOT match

Although the attempt dit not result in a match. I think I should just download another copy of the ISO and hope for a checksum-match.

The spam filter just hid my new post. No clue why that is…

Probably due to a link you may have included.
The text version works for us.