In this tutorial, we will learn how to use the sha256sum command to check the integrity of a file (which we will call a message ) following a download. Thanks to this command, we will obtain this file’s fingerprint, also called “checksum.”
If a file no longer has the same footprint after being transferred from machine A to machine B, this calls into question its integrity. This means that the file could have been altered intentionally or accidentally. The file may have been corrupted when downloading a file due to packet loss linked to the local network or a malfunction on the server transmitting the file. Conversely, if the fingerprint of the downloaded file is identical to that of the original file, it can be said that the integrity has been preserved. We can say that the version of the file stored on the server is identical, down to the bit, to the one stored on our machine: the file can be used with complete peace of mind.
II. Using the sha256sum command
When you download a software executable or an ISO image, it is common to have access to the SHA256 sum (or possibly SHA1 or MD5) of the file. The publisher makes this information available so that the integrity of the downloaded file can be verified.
Let’s take the example of Ubuntu, whose ISO images can be downloaded on this page:
If we click ” Ubuntu 23.04 (Lunar Lobster) “, we will have access to a list of files. In the context of this example, there are two files of particular interest:
- SHA256SUMS: it provides access to the SHA256 fingerprint of several files made available on this download page
- ubuntu-23.04-desktop-amd64.iso: the ISO image for the Ubuntu Desktop installer
If we look at the contents of the SHA256SUMS file, we see that there is the SHA256 checksum of several files, including the file ” ubuntu-23.04-desktop-amd64.iso “.
Now, you can download the file from a Linux machine with wget (or another way…):wget https://releases.ubuntu.com/lunar/ubuntu-23.04-desktop-amd64.iso.
A few minutes later, the download is complete! I have the Ubuntu ISO image in my possession. But did the file maintain its integrity during download?
The only way to know is to compare the value provided on the Ubuntu site with that obtained if we calculate the footprint on the local version of the ISO file. To do this, we will use the sha256sum command, like this:sha256sum ubuntu-23.04-desktop-amd64.iso
A few seconds later, the information is returned:
The fingerprint between the two files (server version and local version) is identical! This means that the integrity of my file has been preserved! My version is strictly identical to the one stored on the servers of Canonical, the Ubuntu publisher.
Note that you can also obtain the SHA256 fingerprint of several files. This is useful if you need to compare the value between two files:sha256sum file1.txt file2.txt
Now, when you download a file, and the publisher provides you with the SHA256 fingerprint, you can verify its integrity before using it!