Debian Now Offering SHA-512 Checksums For ISOs

As I'm sure many of you have noticed, I tend to use SHA-512 rather than SHA-256. Most distros haven't yet started offering SHA-512 checksums with their ISOs, though most do offer SHA-256 checksums (it's the current standard). I went to prep for a download of Debian 8.6.0 (hoping to download tonight), and noticed they now offer a SHA512SUM file ( http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/SHA512SUMS ). Not sure when they started doing this exactly, but I for one appreciate it , so thanks to who-ever made this happen. I suspect it will be several years before most other distros start to, and that's assuming SHA-3 doesn't step in by then.
 

I use SHA256 for Linux Mint, though can be tricky to find. While some prefers to examine the file on disk, I prefer copy/paste the checksum in download manager & select SHA256. If it's not right, the download will be aborted, if right, it's deposited where desired.

Hopefully Linux Mint will go to the SHA512 checksum. 

BTW, here are all of the Linux MInt 18 SHA256 checksums. 

https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18/sha256sum.txt

In case the page doesn't post, they're listed below with a link to cover my back.

=========================================================================================

3fb60a7698f5d80e68526016da3e4455d8a19be6b1cb0eeb5b59dbdd8cf1ffb3 *linuxmint-18-cinnamon-32bit.iso
2238dca5b51f9e2674a7e31c46f19141fbdecff6e44c06ecbc9a7bb59b75a816 *linuxmint-18-cinnamon-64bit.iso
ff8bacc631e7955fc6b0f86c9014ce27aa455e3ee0913de0b2bc6c366b63c693 *linuxmint-18-kde-32bit.iso
87d834c13fb3e03a9c1111a9f3cec50a65c05d36247bfb6c36442c2d8a2b2484 *linuxmint-18-kde-64bit.iso
d064397cd185fa4a91fd6db4ff42f105c121a7607691797325323135713a8810 *linuxmint-18-mate-32bit.iso
c634f48b248489eef782067484a04978f046e9ccd507d9df35c798a1db9bef22 *linuxmint-18-mate-64bit.iso
9f3a4040181dcfbc027910ead361dbaf7cc3e90949ebeac0722c7e7d55fda837 *linuxmint-18-xfce-32bit.iso
2151852abb34bd62350fab807acc04b3f337d928c7c8092aebea7d0524587acf *linuxmint-18-xfce-64bit.iso

• Link to the sums: sha256sum.txt

=========================================================================================

I'll readily admit, at one time, up until that Linux Mint Cinnamon deal, wasn't checking all of my Linux Mint ISO's, and for the first 5 years, never checked the first one. That has now changed, each & every one of us are personally responsible for our security. There are free download managers as extensions with the ability to check once the download is complete (it's doing the work for you), it's up to you to take charge & accept the offer. For Linux Mint 18 users, I've led everyone to water, though can't force one to drink. That decision rests upon the user.

Cat

To clarify on the poll question ...   ... It's true that I don't bother checking the installation package because I trust the source location (and know that I could very well be bitten by this), but these occurrences are very rare.  Most of the time, I install from the port tree (FreeBSD), and the checksum verification is automatic.  So in a way, it's 'Yes' and 'No'.

I didn't worry about checksums before a few weeks ago. For whatever reason I wound up with a bad copy of Linux Mint MATE and had a few issues until it was pointed out to me to verify the integrity of the install files. Turns out that it wouldn't pass the check, corrupt files for some reason or another. Next download (Linux Mint Cinnamon) that I did, I made to sure to verify immediately after downloading. Worked like a charm and I'm believer now.

Edit: Should probably note that I'm a complete Linux noob, and this experience will probably see me checking all of my distro downloads from now on.

Edited by Jeremy_C, 05 October 2016 - 04:04 PM.

SHA-256 Here, and I voted!  I just choose the best easiest that's available, no PGP for me.  

@Jeremy_C, I had a worse experience when first starting here with Linux and that is why I always suggest doing this, and so does the Linux Mint site, and most other sites by the way.  I didn't even have an internet connection when I started all this, and did most of it from a Public Library.  In doing so, the library has the worst connection you can imagine, but I did not know this at the time.  It would constantly skip a little.  Most folks didn't even know it, but with downloads, it would break the download.  That's when cat1092 told me about DownThemAll FF Extension.  And started using GtkHash etc.  I Always check them, internet connections are never 100% guaranteed.  If just one little file gets corrupted you will have wasted much time with installs and others helping to fix Ghost Issues.  I helped a guy on another forum with the "Integrity Check" and he said it showed many Errors.  He then found out that ALL of his iso downloads were bad! as were mine using that Public Library.  That library is still bad till this day.  I truly don't understand how such a nice City Library could be so bad in one of the most popular city's in South Florida? but it is.

What exactly are we checking? Are we verifying that the download was good OR are we checking that the ISO wasn't tampered with?

You should never get the checksums from the same site as the ISO, Why?

Because if the bad guys are smart enough to hack a website and replace the ISO they are also smart enough to change the checksum numbers posted on that site, To be sure you have to check the checksums also.

If all you are doing is verifying that it was a good download then MD5 is also good enough.

Another SHA-256 user here.

As Nick says, if you're checking to make sure your download copy hasn't been tampered with, you'll first need to independently verify the checksum to ensure it's "kosher" before you rely on it to detect any tampering. 

That's why the SHA256 checksums above wasn't listed on the download page, rather that of the Linux Mint Blog on this page.

http://blog.linuxmint.com/?p=3052

There is where the link to the above SHA256 checksums can be found, copy/paste into a download manager for verifying at end of download & be sure to select SHA256. If it's off, the download won't complete. This is also why it's best to double check the SHA256 checksum for your distro & make sure the download manager is set to look for that checksum.

Cat

As several users have mentioned, when ruling out tampering, it's good to get checksums from a different source, more than one source if possible. However, this isn't always possible, which is why some distros also offer PGP signed checksum files, or PGP sigs for the ISOs. Of course those are only helpful if you already have (or have a way of finding) the legitmate PGP public key being used to sign the ISOs.

 

 

 They put all their checksums in a single file.

That's similar to what Linux MInt does, and the page or site that the SHA512 checksums are on a different site than the download one & are tricky to find. 

Took me close to a week to discover the site buried in the fine print, which is the real Linux Mint Community site, not that were the downloads are listed, nor their main forum (which is outsourced). I suspect that while not impossible, it would be very hard to 'spoof' a fake SHA512 download, being the the checksums are on a different site altogether, unless one's router/modem has been hijacked to redirect traffic when previously visiting dubious sites. The only one that still shows as MD5 is LDME (Linux Mint Debian Edition), which I downloaded the MATE version last night, will test in a VM. Then figure in there how to properly partition the drive to have a very small swap, 50GiB root (giving more space as it's a continual release), and the rest of the 500GiB HDD as /home. 

I'll have to learn the ropes a bit on Debian before installing to SSD, though eventually will, once I become comfortable with the OS & how it's installer works. 

Wonder why LMDE didn't offer a SHA512 checksum? MD5 checksums are like dollar store padlocks, we get what we pay for. Speaking of the latter, I would had very gladly paid $5 for a SHA512 checksum for their troubles to provide one, while Linux is free (other than having another install the OS if needed), distributors reserves the right to charge for delivery methods, including secure ones.

Makes me wonder if Linux Mint are putting their best feet forward with their Debian Edition (choice of Cinnamon & MATE), being LMDE is likely the least popular of their distro family.

Cat