概述:#
在上网下载镜像或安装文件时经常会看到MD5,SHA-1,SHA-256 ,signature,一起显示,这些文件帮助我们验证下载的文件是否损坏或者被篡改以及文件的真实性, 散列值可以使用windows, macOS,Linux内置命令进行验证。 文件签名可以使用工具gpg进行校验。
完整性校验#
通过文件散列来判断文件下载或移动后,是否有损坏, 可以用MD5, SHA1,SHA256,SHA224, SHA384等。我平时工作中用到的是MD5,判断相关版本文件是否修改。
LINUX#
md5sum,sha1sum, sha256sum
1
2
3
4
5
| md5sum /path/to/file
sha1sum /path/to/file
sha256sum /path/to/file
|
WINDOWS#
certutil, Get-FileHash(需要使用windows Powershell)
1
2
3
4
5
| certutil -hashfile yourfilenameaddress MD5
certutil -hashfile yourfilenameaddress SHA1
certutil -hashfile yourfilenameaddress SHA256
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| Get-FileHash C:\path\to\file.iso -Algorithm MD5
Get-FileHash C:\path\to\file.iso -Algorithm SHA1
Get-FileHash C:\path\to\file.iso -Algorithm SHA256
Get-FileHash C:\path\to\file.iso -Algorithm SHA384
Get-FileHash C:\path\to\file.iso -Algorithm SHA512
Get-FileHash C:\path\to\file.iso -Algorithm MACTripleDES
Get-FileHash C:\path\to\file.iso -Algorithm RIPEMD160
|
MACOS#
md5 ,shasum
1
2
3
4
5
6
7
| md5 /path/to/file
shasum /path/to/file
shasum -a 1 /path/to/file
shasum -a 256 /path/to/file
|
真实性校验#
使用gpg工具 , 主要分为两步
- 导入公钥
- 验证
如果需要去掉警告信息可以设置相关公钥的trust。
WINDOWS#
1
2
3
4
5
6
7
8
| gpg: Signature made 06/25/19 11:35:48 中国标准时间
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from Greg Kroah-Hartman <gregkh@linuxfoundation.org> [unknown]
gpg: aka Greg Kroah-Hartman <gregkh@kernel.org> [unknown]
gpg: aka Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com> [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
|
获取以上信息:“ Good signature from Greg Kroah-Hartman gregkh@linuxfoundation.org 表面验签成功。
去掉警告信息
创建个人的openpgp密钥对;(需要输入密码)
在主菜单面板选择公钥->右击认证; 重新校验签名后无报警信息;
1
2
3
4
5
| gpg: Signature made 06/25/19 11:35:48 中国标准时间
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from Greg Kroah-Hartman <gregkh@linuxfoundation.org> [full]
gpg: aka Greg Kroah-Hartman <gregkh@kernel.org> [full]
gpg: aka Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com> [full]
|
LINUX#
使用gpg2 工具, 如果没有安装可以通过apt或yum进行安装, 以下验证环境为Centos7 :
获取相关公钥并导入
1
2
3
| gpg2 --search-keys gregkh@kernel.org
gpg2 --search-keys torvalds@kernel.org
gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
|
解压压缩包
1
| unxz -v linux-5.1.15.tar.xz
|
1
| gpg2 --verify linux-5.1.15.tar.sign
|
可以 看到对应私钥的fingerprint 确定签名是否正确。
1
2
3
4
5
6
7
8
9
10
| [root@centosgpt srv]# gpg2 --verify linux-5.1.15.tar.sign
gpg: Signature made Tue 25 Jun 2019 11:35:48 AM CST using RSA key ID 6092693E
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from Greg Kroah-Hartman <gregkh@linuxfoundation.org>
gpg: aka Greg Kroah-Hartman <gregkh@kernel.org>
gpg: aka Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
|
- 认证导入密钥trust,
1
| gpg2 --edit-key gregkh@kernel.org
|
- 输入trust,选择5 = I trust ultimately
1
2
3
4
5
6
7
8
9
| [root@centosgpt srv]# gpg2 --verify linux-5.1.15.tar.sign
gpg: Signature made Tue 25 Jun 2019 11:35:48 AM CST using RSA key ID 6092693E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from Greg Kroah-Hartman <gregkh@linuxfoundation.org>
gpg: aka Greg Kroah-Hartman <gregkh@kernel.org>
gpg: aka Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>
|
How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With What Are MD5, SHA-1, and SHA-256 Hashes, and How Do I Check Them? GPG - How to trust an imported key Linux kernel signature