mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-02-03 23:40:14 +08:00
translated
This commit is contained in:
geekpi
parent
64cd9fa249
commit
f97fcbfa23
@ -1,128 +0,0 @@
|
||||
[#]: subject: "Beginner’s Guide to Verify ISO Files in Linux"
|
||||
[#]: via: "https://www.debugpoint.com/verify-iso-files-linux/"
|
||||
[#]: author: "Arindam https://www.debugpoint.com/author/admin1/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "geekpi"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Beginner’s Guide to Verify ISO Files in Linux
|
||||
======
|
||||
|
||||
**A simple guide to demonstrate the process of verifying ISO files in Ubuntu and other Linux distributions.**
|
||||
|
||||
Downloading operating system image files or software from the internet can sometimes pose a security risk because malicious actors can corrupt or modify files. To ensure the authenticity and integrity of downloaded files, it is necessary to verify them. In this beginner’s guide, we will walk you through verifying ISO files in Linux.
|
||||
|
||||
### What are ISO Files?
|
||||
|
||||
ISO files are commonly used for creating bootable media, installing software, and creating backups. An ISO file contains all the original application/disc data in a compressed format, allowing it to be easily downloaded and shared over the Internet.
|
||||
|
||||
For example, if you download an Ubuntu desktop, server, or any other Linux operating system, you must have encountered the files with .iso extensions. It is also used for applications or other operating systems such as Windows.
|
||||
|
||||
### Why Verify ISO Files?
|
||||
|
||||
Verifying ISO files is critical to ensure that the downloaded file is authentic and has not been modified. A modified ISO file may contain malware or viruses that can harm your system. Verifying ISO files ensures that the downloaded file is the same as the one created by the developer and has not been tampered with.
|
||||
|
||||
For example, a few years back [Linux Mint server was hacked][1] and the official ISO files were modified. Since you are downloading it from the official website, you might think that the files are genuine. But they may not.
|
||||
|
||||
Hence, it’s important for you to always verify ISO files before using them to install on your Laptop/desktop.
|
||||
|
||||
### Methods to Verify ISO Files in Linux
|
||||
|
||||
There are two commonly used methods to verify ISO files in Linux:
|
||||
|
||||
- Using SHA-256 Checksums
|
||||
- Using GPG Signature
|
||||
|
||||
#### Using SHA-256 Checksums
|
||||
|
||||
[SHA-256][2] is a cryptographic hash function that generates a unique hash value for a file. A checksum is a result of applying the SHA-256 algorithm to a file. The checksum is a unique string of characters that can be used to verify the integrity of a file.
|
||||
|
||||
To verify an ISO file using SHA-256 checksums, download the SHA-256 checksum from the developer’s website. The SHA-256 checksum file will contain the checksum value of the ISO file. You need to generate the checksum value of the downloaded ISO file and compare it with the checksum value in the SHA-256 checksum file. If the two values match, the downloaded ISO file is authentic and has not been modified.
|
||||
|
||||
#### Using GPG Signature
|
||||
|
||||
[GPG][3] (GNU Privacy Guard) is a cryptographic software that can be used to sign and verify files. A GPG signature is a digital signature that ensures the authenticity and integrity of a file. The developer signs the ISO file using their private key, and the user verifies the signature using the developer’s public key.
|
||||
|
||||
To verify an ISO file using GPG signature, you need to download the GPG signature file from the developer’s website. The GPG signature file will contain the developer’s public key and the signature of the ISO file. You need to import the developer’s public key, download the ISO file and the GPG signature file, and verify the signature of the ISO file using the developer’s public key. If the signature is valid, then the ISO file is authentic and has not been modified.
|
||||
|
||||
### How to Verify ISO Files in Linux: Examples
|
||||
|
||||
Let’s take a look at some examples of the above methods of verifying ISO files using SHA-256 checksums and GPG signatures in Linux.
|
||||
|
||||
#### Verify ISO Files using SHA-256 Checksums
|
||||
|
||||
![Example - ISO files to verify and checksum][4]
|
||||
|
||||
- I have downloaded the Linux Mint 21.1 ISO file from the [official website][5].
|
||||
- Also, I downloaded the SHA-256 text file containing the checksum for the ISO files as well (see above image).
|
||||
- Now, open a terminal and go to the directory where the ISO and SHA-256 checksum files are located.
|
||||
- Generate the SHA-256 checksum value of the ISO file using the `sha256sum` command in the terminal. For example, to generate the checksum value of the above ISO file named `linuxmint-21.1-cinnamon-64bit.iso`, run the following command:
|
||||
|
||||
```
|
||||
sha256sum linuxmint-21.1-cinnamon-64bit.iso
|
||||
```
|
||||
|
||||
- Compare the generated checksum value with the checksum value in the SHA-256 checksum file. If the two values match, then the ISO file is authentic and has not been modified.
|
||||
- Here’s a side-by-side comparison for the above ISO file.
|
||||
|
||||
![Verify ISO file using sha256sum command][6]
|
||||
|
||||
And you can be assured that the file is genuine and has not been tampered with if the checksum matches. You can use the same command for any other ISO files and checksum for verification.
|
||||
|
||||
Now, let’s see how you can verify using gpg key.
|
||||
|
||||
#### Verify ISO Files using GPG Signature
|
||||
|
||||
For the above example, I have downloaded the .gpg file alongside the ISO file from the official website.
|
||||
|
||||
The next step is to download and import the developer’s public key. You can download the public key from the developer’s website or a keyserver.
|
||||
|
||||
I used the below command to download the Linux Mint’s public key for this example. So, for your ISO file of the respective Linux distro file, look around the download page to find out the public key.
|
||||
|
||||
```
|
||||
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
|
||||
```
|
||||
|
||||
**Note**: You can also download the public key `.asc` file (if available), and use the command `gpg --import developer_key_file.asc` to import it in your system.
|
||||
|
||||
Once this is done, run the below gpg command to verify the file.
|
||||
|
||||
```
|
||||
gpg --verify sha256sum.txt.gpg sha256sum.txt
|
||||
```
|
||||
|
||||
![Verifying ISO file using gpg keys][7]
|
||||
|
||||
If the file is genuine, you should see “Good signature” message as the output of the above command. Also, you can match the last 8bytes of the public key. The “Warning” is a generic message which you can ignore.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Verifying ISO files is an essential step in ensuring the authenticity and integrity of downloaded files. In this beginner’s guide, I covered the methods and steps to verify ISO files using SHA-256 checksums and GPG signatures in Linux. By following these steps, you can download and use ISO files confidently, knowing that they have not been modified and are safe to use.
|
||||
|
||||
Remember that even if you download from the official website, you never know whether the ISO file is authentic until you verify. So, use this as a best practice.
|
||||
|
||||
[_Reference_][8]
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.debugpoint.com/verify-iso-files-linux/
|
||||
|
||||
作者:[Arindam][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.debugpoint.com/author/admin1/
|
||||
[b]: https://github.com/lkxed/
|
||||
[1]: https://blog.linuxmint.com/?p=2994
|
||||
[2]: https://en.wikipedia.org/wiki/SHA-2
|
||||
[3]: https://gnupg.org/
|
||||
[4]: https://www.debugpoint.com/wp-content/uploads/2023/04/Example-ISO-files-to-verify-and-checksum.jpg
|
||||
[5]: https://linuxmint.com/edition.php?id=302
|
||||
[6]: https://www.debugpoint.com/wp-content/uploads/2023/04/Verify-ISO-file-using-sha256-command.jpg
|
||||
[7]: https://www.debugpoint.com/wp-content/uploads/2023/04/Verifying-ISO-file-using-gpg-keys.jpg
|
||||
[8]: https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html
|
||||
@ -0,0 +1,129 @@
|
||||
[#]: subject: "Beginner’s Guide to Verify ISO Files in Linux"
|
||||
[#]: via: "https://www.debugpoint.com/verify-iso-files-linux/"
|
||||
[#]: author: "Arindam https://www.debugpoint.com/author/admin1/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "geekpi"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
在 Linux 中验证 ISO 文件的初学者指南
|
||||
======
|
||||
|
||||
**演示在 Ubuntu 和其他 Linux 发行版中验证 ISO 文件过程的简单指南。**
|
||||
|
||||
从互联网下载操作系统镜像文件或软件有时会带来安全风险,因为恶意行为者可能会损坏或修改文件。为保证下载文件的真实性和完整性,需要对其进行校验。在本初学者指南中,我们将引导你在 Linux 中验证 ISO 文件。
|
||||
|
||||
### 什么是 ISO 文件?
|
||||
|
||||
ISO 文件通常用于创建可启动媒体、安装软件和创建备份。ISO 文件包含压缩格式的所有原始应用/光盘数据,可以轻松下载并通过互联网共享。
|
||||
|
||||
例如,如果你下载 Ubuntu 桌面、服务器或任何其他 Linux 操作系统,你一定遇到过扩展名为 .iso 的文件。它还用于应用或其他操作系统,例如 Windows。
|
||||
|
||||
### 为什么要验证 ISO 文件?
|
||||
|
||||
验证 ISO 文件对于确保下载的文件真实且未被修改至关重要。修改后的 ISO 文件可能包含可能损害你系统的恶意软件或病毒。验证 ISO 文件可确保下载的文件与开发人员创建的文件相同且未被篡改。
|
||||
|
||||
例如,几年前 [Linux Mint 服务器被黑][1]并且官方 ISO 文件被修改。由于你是从官方网站下载的,你可能会认为这些文件是真实的。但他们可能不会。
|
||||
|
||||
因此,在使用 ISO 文件安装到你的笔记本电脑/台式机之前,始终验证 ISO 文件非常重要。
|
||||
|
||||
### 在 Linux 中验证 ISO 文件的方法
|
||||
|
||||
Linux 中校验 ISO 文件的常用方法有两种:
|
||||
|
||||
- 使用 SHA-256 校验和
|
||||
- 使用 GPG 签名
|
||||
|
||||
#### 使用 SHA-256 校验和
|
||||
|
||||
[SHA-256][2] 是一种加密哈希函数,可为文件生成唯一的哈希值。校验和是将 SHA-256 算法应用于文件的结果。校验和是一个唯一的字符串,可用于验证文件的完整性。
|
||||
|
||||
要使用 SHA-256 校验和验证 ISO 文件,请从开发者网站下载 SHA-256 校验和。SHA-256 校验和文件将包含 ISO 文件的校验和值。你需要生成下载的 ISO 文件的校验和值,并将其与 SHA-256 校验和文件中的校验和值进行比较。如果两个值匹配,则下载的 ISO 文件是真实的且未被修改。
|
||||
|
||||
#### 使用 GPG 签名
|
||||
|
||||
[GPG][3] (GNU Privacy Guard) 是一种加密软件,可用于对文件进行签名和验证。GPG 签名是一种数字签名,可确保文件的真实性和完整性。开发者使用他们的私钥签署 ISO 文件,用户使用开发者的公钥验证签名。
|
||||
|
||||
要使用 GPG 签名验证 ISO 文件,你需要从开发者网站下载 GPG 签名文件。GPG 签名文件将包含开发者的公钥和 ISO 文件的签名。你需要导入开发者公钥,下载 ISO 文件和 GPG 签名文件,并使用开发者公钥对 ISO 文件进行签名验证。如果签名有效,则 ISO 文件是真实的并且未被修改。
|
||||
|
||||
### 如何在 Linux 中验证 ISO 文件:示例
|
||||
|
||||
让我们看一下上述在 Linux 中使用 SHA-256 校验和和 GPG 签名验证 ISO 文件的方法的一些示例。
|
||||
|
||||
#### 使用 SHA-256 校验和验证 ISO 文件
|
||||
|
||||
![示例 - 要验证和校验和的 ISO 文件][4]
|
||||
|
||||
- 我已经从[官方网站][5]下载了 Linux Mint 21.1 ISO 文件。
|
||||
- 此外,我还下载了包含 ISO 文件校验和的 SHA-256 文本文件(见上图)。
|
||||
- 现在,打开终端并转到 ISO 和 SHA-256 校验和文件所在的目录。
|
||||
- 在终端中使用 `sha256sum` 命令生成 ISO 文件的 SHA-256 校验和值。例如,要生成上述名为 linuxmint-21.1-cinnamon-64bit.iso 的 ISO 文件的校验和值,请运行以下命令:
|
||||
|
||||
```
|
||||
sha256sum linuxmint-21.1-cinnamon-64bit.iso
|
||||
```
|
||||
|
||||
- 将生成的校验和值与 SHA-256 校验和文件中的校验和值进行比较。如果两个值匹配,则 ISO 文件是真实的并且未被修改。
|
||||
- 这是上述 ISO 文件的并排比较。
|
||||
|
||||
![使用 sha256sum 命令验证 ISO 文件][6]
|
||||
|
||||
如果校验和匹配,你可以确信该文件是真实的并且没有被篡改。你可以对任何其他 ISO 文件和校验和使用相同的命令进行验证。
|
||||
|
||||
现在,让我们看看如何使用 gpg 密钥进行验证。
|
||||
|
||||
#### 使用 GPG 签名验证 ISO 文件
|
||||
|
||||
对于上面的示例,我已经从官方网站下载了 .gpg 文件和 ISO 文件。
|
||||
|
||||
下一步是下载并导入开发者的公钥。你可以从开发者的网站或密钥服务器下载公钥。
|
||||
|
||||
我使用下面的命令为这个例子下载了 Linux Mint 的公钥。因此,对于相应 Linux 发行版文件的 ISO 文件,请查看下载页面以找出公钥。
|
||||
|
||||
```
|
||||
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
|
||||
```
|
||||
|
||||
**注意**:你还可以下载公钥 `.asc` 文件(如果有),然后使用命令 `gpg --import developer_key_file.asc` 将其导入你的系统。
|
||||
|
||||
完成后,运行下面的 gpg 命令来验证文件。
|
||||
|
||||
```
|
||||
gpg --verify sha256sum.txt.gpg sha256sum.txt
|
||||
```
|
||||
|
||||
![使用 gpg 密钥验证 ISO 文件][7]
|
||||
|
||||
|
||||
如果文件是真实的,你应该会在上述命令的输出中看到 “Good signature” 消息。此外,你可以匹配公钥的最后 8 个字节。“Warning” 是一条通用消息,你可以忽略它。
|
||||
|
||||
### 总结
|
||||
|
||||
验证 ISO 文件是确保下载文件的真实性和完整性的重要步骤。在本初学者指南中,我介绍了在 Linux 中使用 SHA-256 校验和和 GPG 签名验证 ISO 文件的方法和步骤。通过执行这些步骤,你可以自信地下载和使用 ISO 文件,知道它们没有被修改并且可以安全使用。
|
||||
|
||||
请记住,即使你是从官方网站下载的,在你验证之前你永远不会知道 ISO 文件是否真实。因此,请将此作为最佳实践。
|
||||
|
||||
[_参考_][8]
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.debugpoint.com/verify-iso-files-linux/
|
||||
|
||||
作者:[Arindam][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.debugpoint.com/author/admin1/
|
||||
[b]: https://github.com/lkxed/
|
||||
[1]: https://blog.linuxmint.com/?p=2994
|
||||
[2]: https://en.wikipedia.org/wiki/SHA-2
|
||||
[3]: https://gnupg.org/
|
||||
[4]: https://www.debugpoint.com/wp-content/uploads/2023/04/Example-ISO-files-to-verify-and-checksum.jpg
|
||||
[5]: https://linuxmint.com/edition.php?id=302
|
||||
[6]: https://www.debugpoint.com/wp-content/uploads/2023/04/Verify-ISO-file-using-sha256-command.jpg
|
||||
[7]: https://www.debugpoint.com/wp-content/uploads/2023/04/Verifying-ISO-file-using-gpg-keys.jpg
|
||||
[8]: https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html
|
||||
Loading…
Reference in New Issue
Block a user