Most Linux distributions come with the sha256sum utility (on Ubuntu it is part of the coreutils package). You should verify this file using the PGP signature, SHA256SUMS.gpg (such as ) as described in VerifyIsoHowto. See the SHA-256 checksum file for the release you're using under, such as. The SHA-256 hash must be signed or come from a secure source (such as a HTTPS page or a GPG-signed file) of an organization you trust. In terms of security, cryptographic hashes such as SHA-256 allow for authentication of data obtained from insecure mirrors. It is a very good idea to run an SHA-256 hash comparison check when you have a file like an operating system install CD that has to be 100% correct. The possibility of changes (errors) is proportional to the size of the file the possibility of errors increase as the file becomes larger.
SHA-256 serves a similar purpose to a prior algorithm recommended by Ubuntu, MD5, but is less vulnerable to attack.Ĭomparing hashes makes it possible to detect changes in files that would cause errors.
SHA-256 hashes used properly can confirm both file integrity and authenticity. The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits).
