Shulou(Shulou.com)06/01 Report--

What this article shares with you is about the method of verifying the integrity of downloaded files in the Linux system. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Learning under Linux is always difficult at first, but sometimes I find that Linux is much more practical than Windows-the integrity of the download file is one of the things that makes me feel good. When compiling and installing all kinds of software, always go to each website to collect the software source packages. Because of this, the entry of the software is very complex, so it is necessary to check whether the downloaded file has been modified. At present, there are generally three MD5,SHA1,PGP verification methods. In the long years of Windows (with or without vicissitudes), you can only come into contact with the first two-if you will check it out.

MD5 check

Principle: MD5 Hash the file, find out the MD5 hash value of the file, and judge whether the file has been tampered with after the publisher is released by whether the MD5 hash value of the downloaded file is consistent with the MD5 hash value provided by the publisher.

Description: a long-lived Hash algorithm, a wide range of applications, website password storage is also often used. The MD5 hash values generated by different files are unique, but there is already a way to make the hash values after the MD5 of the file consistent with a few modifications to the file.

Use: under CentOS, it is easy to MD5 Hash a file with a md5sum command:

The code is as follows:

# $is a terminal prompt, not input.

# # is a comment

# what has no prompt is the output

# output MD5 Hash directly

$md5sum your-downloaded-file-name

Fd4a1b802373c57c10c926eb7ac823d8 your-downloaded-file-name

# Save the MD5 Hash value to the md5-hash.txt file.

$md5sum your-downloaded-file-name > md5-hash.txt

# display the output md5-hast.txt content

$cat md5-hash.txt

Fd4a1b802373c57c10c926eb7ac823d8 your-downloaded-file-name

# use md5-hash.txt to verify whether the file you downloaded is correct

$md5sum-c md5-hash.txt

Your-downloaded-file-name: OK

If you are the publisher of the file, you can send the hash value of the file to the verifier through md5sum, so that the person downloading your file can use the MD5 hash value to verify the correctness of your file. Conversely, after downloading the file on the website, we can also get the publisher's MD5 hash value and the locally generated hash value comparison, if consistent, think that the file is correct.

SHA1 check

Principle: like MD5, the principle is to evaluate the file by HASH, compare the hash value published by the publisher, and judge whether the file has been tampered with by whether it is equal or not.

Description: SHA1 HASH evaluation method can be said to be an upgraded version of MD5 (SHA1 20-bit, MD5 16-bit). In HASH evaluation, SHA1 will occupy the stage for MD5 to exit. The SHA family has five algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, the last four of which are sometimes called SHA2

Use: CentOS has the command of SHA1: sha1sum

The code is as follows:

# description as above

# output SHA1 Hash directly

$sha1sum your-downloaded-file-name

12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name

# Save the SHA1 Hash value to a file

$sha1sum your-downloaded-file-name > sha1-hash.txt

# display file contents

$cat sha1-hash.txt

12dc96cbd822598c1230c87622f3591461a77227 your-downloaded-file-name

# use sha1-hash.txt to verify the file your-downloaded-file-name we downloaded

# Note, the file must be known through the path in the txt file

$sha1sum-c sha1-hash.txt

Your-downloaded-file-name: OK

This SHA1 is basically the same as MD5. What needs to be added is that when you use md5sum or sha1sum to verify a file, make sure that the system can find the file according to the path provided in the file. If the file cannot be found, there is no way to verify it.

If you are doing the Hash check of multiple files, you can save the hash values of multiple files through a single file.

PGP check

Principle: with asymmetric encryption, the program generates a unique key pair (public and private keys: Public Key and Private Key/Secret Key). The method of operation is as follows:

1. The publisher gets the signature file (sign) by signing the file to be published with the private key in the generated key pair.

two。 The publisher publishes the public key in the key pair to the public key server

3. The publisher publishes the file with the signature generated with the private key

4. Verifier downloads files and signatures published by publishers

5. Use the PGP program to obtain the public key issued by the publisher in the second step

6. Use the public key to verify the file signature

Description: in the signature algorithm, the use of the key is: the public key is used for encrypting information and verification, and the private key is used for decryption and signature. The private key is held by the information publisher, and the public key can be distributed at will. The information publisher uses the key to sign the information, and after obtaining the public key, the receiver can use the public key to verify the information + signature issued by the publisher. If the validation fails, the information is considered to have been tampered with. In the network, we often encounter the HTTPS protocol, using the same mechanism.

Use: because PGP is a commercial application, in CentOS/Linux, the one with similar functions is GPG (that is, GnuPG), which also complies with the OpenPGP data encryption standard (RFC 4880). No installation can be installed with yum install gnupg, and the command is: gpg

The code is as follows:

# description as above

# because the process is relatively complex, and in practical use, verification is often used, so only the verification process of files is introduced here.

# when getting the file and signature, we first use gpg to verify the signature. At this time, the file must exist.

$gpg-verify downloaded-file-sign.asc

There are a variety of situations. If you only have a signature, but the file that generated the signature does not exist (the system cannot find it, it should be placed under the same directory), the return is:

The code is as follows:

Gpg: data without signature

Gpg: can't hash datafile: No data

When you have a file but do not have a public key corresponding to the signature, gpg returns information similar to the following:

The code is as follows:

Gpg: signature created by CST at 18:27:27 on Monday, May 6, 2013, using RSA, key number 47ACDAFB

Gpg: unable to check signature: No public key

Note: the above information is generated differently on different files and operating systems. But when there is no public key, you can find that gpg provides a key number corresponding to the signature: 47ACDAFB, which is the public key we are looking for.

As mentioned above, the publisher has published the public key to the public key server for the verifier to download, so we need to download the public key from the public key server. To download the public key, the key number is very important.

Available public key servers can view a list of commonly used key servers through the Key Server entry on wikipedia. Hkp://pgp.mit.edu is used here:

The code is as follows:

# get the public key on the server

$gpg-keyserver hkp://pgp.mit.edu-recv-keys 47ACDAFB

Gpg: download key '47ACDAFBG, pgp.mit.edu from hkp server

Gpg: key 47ACDAFB: public key "Stephan Mueller" has been imported

Gpg: no absolutely trusted keys were found

Gpg: total number of processed: 1

Gpg: imported: 1

-- recv-keys will be used with-- keyserver, and after importing the public key of the key pair, we can use this public key to verify our signature.

Run our previous verification command (gpg-- verify sign-file) again, and you can see the results of the verification.

The code is as follows:

# at this time, we will verify our signature again, and we will get the verification result

$gpg-verify downloaded-file-sign.asc

Gpg: signature created by CST at 18:27:27 on Monday, May 6, 2013, using RSA, key number 47ACDAFB

Gpg: intact signature from "Stephan Mueller"

Gpg: warning: this key has not been authenticated by a trusted signature!

Gpg: there is no evidence that this signature belongs to the holder it claims to be.

Master key fingerprint: B0F4 2D33 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8

Seeing this result, confirm at least one result: this file has not been tampered with.

Usually we're almost done at this point.

Note, however, that there is a warning in the message that this is an untrusted signature authentication. Because this public key can be released by anyone, if you really need further authentication, you can also contact the real publisher to confirm the key information-fingerprint before signing the authentication. This is a weakness of this algorithm.

If the signature authentication has been passed, you can safely compile and install it in your own system.

For more information about PGP, you can refer to the following website:

Wikipedia PGP

Ubuntu GPG/PGP

GnuPG, there is a zh document in MiniHOWTO in HOWTOs, which is in Chinese.

Gentoo GnuPG

The above is how to verify the integrity of downloaded files in the Linux system. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.