Release file verification

From VyOS Wiki
Jump to: navigation, search

You should verify downloaded release integrity and authentivity to ensure your file was not corrupted or modified.

Checksum verification

Cryptographic hash functions are used to verify file integrity, i.e. to check it was not corrupted at download time.

VyOS uses SHA-1 sums.

Linux

Download file named "sha1sums" from your release directory.

Suppose you want to verify "vyos-1.0.2-i386.iso":

$ grep vyos-1.0.2-i386.iso ./sha1sums | sha1sum -c -
vyos-1.0.2-i386.iso: OK

If your file is corrupted, you will get something like:

$ grep vyos-1.0.2-i386.iso ./sha1sums | sha1sum -c -
vyos-1.0.2-i386.iso: FAILED
sha1sum: WARNING: 1 computed checksum did NOT match

You also may verify all files in a directory at once:

sha1sum -c ./sha1sums

Mac OS X

Same to Linux, but the utility is called "shasum".

Windows

Use FCIV: http://support.microsoft.com/kb/841290. FCIV uses its own XML-based format for storing checksums, so you'll have to verify it visually or convert first.

Note

Hash functions allow to verify your files was not corrupted during transmission, but not that it was not replaced along with the sums file (e.g. if download server was compromised). You need to use digital signatures for that.