In this post I’ll be covering what is and how to MD5SUM and SHA256SUM (which is essentially a more secure version of MD5SUM).
Before we get into how to create and verify an MD5SUM, we’ll cover what exactly it is. MD5 is (surprise, surprise!) the successor to MD4, which is a cryptographic hash function that creates a 128 bit hash value. Despite it being a cryptographic function, it’s security has been severely compromised over the years to the point where it’s purpose is not to be used for security purposes, but instead as a small (32 hexadecimal values) digital fingerprint of a file.
As an example, say you are transferring a file over a network, want to check it against disk errors or other transfer errors such as disk-to-disk copying, an MD5SUM of the file before (in it’s “correct” state) checked against it’s MD5SUM after should match. If they do not, then the file has been altered in some way. If security is a requirement (i.e. you suspect malicious tampering could occur), you should use the SHA256SUM instead.
Now let’s actually see how to use an MD5SUM and SHA256SUM. For my examples I’m going to an ISO file available from Ubuntu’s website here:
The ISO file I’m using is:
For which the MS5SUMs and SHA256SUMs are located at the following locations:
To create an MD5SUM or SHA256SUM from our file, simply issue the appropriate command:
md5sum ubuntu-12.04.2-desktop-amd64.iso sha256sum ubuntu-12.04.2-desktop-amd64.iso
And the utility will calculate the appropriate sum and output it to the terminal (the md5sum is listed first, sha256sum second):
b436b6d4c7de064652f30d783bda5b4e ubuntu-12.04.2-desktop-amd64.iso 980042c434321c67a0cd10e043aec6376bf9d1008179f47ac781bbaf732051cc ubuntu-12.04.2-desktop-amd64.iso
To check that these are correct (i.e. the files match and there is no corruption, transmission errors, tampering, etc.) you can visually verify them character for character against the sums provided above. Or, you can download (or create) a plain text file with its contents as the sums (i.e. just download the m5sum and sha256 sum files to your hard drive) and run the appropriate command below:
md5sum -c MD5SUMS sha256sum -c SHA256SUMS
Note that in the above commands, the files containing the sums are called “MD5SUMS” and “SHA256SUMS” respectively. Since each of these files contains the sums for all the different distros available in that particular release, you will get quite a few lines that look like this:
md5sum: ubuntu-12.04.2-alternate-amd64.iso: No such file or directory ubuntu-12.04.2-alternate-amd64.iso: FAILED open or read md5sum: ubuntu-12.04.2-alternate-i386.iso: No such file or directory ubuntu-12.04.2-alternate-i386.iso: FAILED open or read
sha256sum: ubuntu-12.04.2-alternate-amd64.iso: No such file or directory ubuntu-12.04.2-alternate-amd64.iso: FAILED open or read sha256sum: ubuntu-12.04.2-alternate-i386.iso: No such file or directory ubuntu-12.04.2-alternate-i386.iso: FAILED open or read
Note that this is normal because (in my example) I only have the file “ubuntu-12.04.2-desktop-amd64.iso” on my desktop and not any of the others. What I am looking for are the line that look like this in both the MD5SUM and SHA256SUM:
Which tells me that the files are intact and unchanged from their original form on Ubuntu’s servers. That’s pretty much it for MD5SUMs and SHA256SUMs, if you start using these, it should save headaches down the road (and cd coasters) from things like corrupted downloads.