How to Verify MD5, SHA-1, and SHA-256 Checksums on Ubuntu

Edited 3 weeks ago by ExtremeHow Editorial Team

ChecksumUbuntuSecurityLinuxVerificationToolsOperating SystemsAdministrationSystemCommand Line

Verifying checksums is an important process when downloading software or files from the Internet. Checksums allow you to make sure that the file you downloaded is exactly what you intended to download, without any corruption and without any changes. Many software distributions provide checksums with their downloads. These are typically provided in MD5, SHA-1, or SHA-256 hash formats. This verification process is quite simple on Ubuntu, a popular Linux distribution. In this guide, we are going to take a detailed look at how to verify MD5, SHA-1, and SHA-256 checksums on Ubuntu systems.

What is a checksum?

A checksum is a sequence of numbers and letters created by running a specific algorithm on a file. It acts as a digital fingerprint or unique value of the file. This unique digital fingerprint changes when the file is changed.

When a developer provides a checksum for a file, they are giving you a way to double-check that the file hasn't been tampered with or become corrupted during the download process. MD5, SHA-1, and SHA-256 are part of a family of hash functions that can take input and create a fixed-size string of bytes. This fixed-size string is the checksum.

Preparing your environment

Before we dive further into the instructions, make sure you have a terminal open and ready on your Ubuntu system. This exercise includes command-line instructions.

Checking the MD5 checksum

Step 1: Know the provided MD5 checksum

When you download a file, check if the website provides an MD5 checksum. This will usually be listed along with the download link. It may look something like this:

c157a79031e1c40f85931829bc5fc552

Step 2: Generate MD5 checksum of the downloaded file

Once you know the MD5 checksum provided by the source, you need to generate the checksum of your downloaded file. Open your terminal and run the following command:

md5sum path_to_your_file

Replace path_to_your_file with the path to the file you downloaded. For example, if the file is in your Downloads folder, the command would look like this:

md5sum ~/Downloads/filename.ext

Step 3: Compare MD5 checksums

After running the command, the terminal will return a string of text identical to the given MD5 checksum. Compare this generated string with the string provided by the source. If both strings match, the file is corrupted and unchanged.

Checking the SHA-1 checksum

Step 1: Know the provided SHA-1 checksum

Just like with MD5, take note of the SHA-1 checksum listed on the download page. It should look something like this:

2bb80d539a9f7e2e2d20b4508f6a3eed17abe1df

Step 2: Generate SHA-1 checksum of the downloaded file

Run the following command in your terminal to generate a SHA-1 checksum:

sha1sum path_to_your_file

As before, replace path_to_your_file with the actual path to your file. Here's an example:

sha1sum ~/Downloads/filename.ext

Step 3: Compare SHA-1 checksums

After executing the command, the output should provide a string that you will compare with the SHA-1 checksum provided by the source. Equality between the two indicates a successful file integrity verification.

Checking the SHA-256 checksum

Step 1: Know the provided SHA-256 checksum

SHA-256 checksums are often provided for software downloads. A typical SHA-256 checksum looks something like this:

ca978112ca1bbdcafac231b39a23dc4da786eff8167a7e8820bde9681d23beaa

Step 2: Generate SHA-256 checksum of the downloaded file

To create a SHA-256 checksum of your file, execute the following command:

sha256sum path_to_your_file

Again, replace path_to_your_file with the path to the file you want to check. For example:

sha256sum ~/Downloads/filename.ext

Step 3: Compare SHA-256 checksums

The tool will provide a checksum that you must compare with the checksum listed by the source. Matching the checksum means you have a correct, uncorrupted file.

Things to keep in mind while verifying checksum

There are a few things to keep in mind when working with checksums. First, checksum verification will not provide information about the authenticity of the file. Instead, it only verifies whether the file has been changed or corrupted during transit. Always make sure you are downloading files from a trusted source.

Also, while MD5 and SHA-1 checksums are widely used, remember that they are somewhat outdated in terms of security, especially MD5. Modern practices prefer SHA-256 because of its higher complexity and resistance to vulnerabilities. Wherever possible, prefer the SHA-256 checksum when performing your verification.

Automating checksum verification

If you frequently download and verify files, consider automating this process using a shell script. Below is a basic example of a shell script that verifies an MD5 checksum:

#!/bin/bash
read -p "Enter the path to the file: " filepath 
read -p "Enter the provided MD5 checksum: " expected_checksum 
calculated_checksum=`md5sum $filepath | awk '{ print $1 }'`
if [ "$calculated_checksum" = "$expected_checksum" ]; then 
echo "Checksums match. File is verified."
else 
echo "Checksums do not match. File may be corrupted or altered."
fi

Save the above script to a file, make it executable using chmod +x scriptname.sh, and run it to simplify checksum verification.

Troubleshooting

When verifying the checksum, you may encounter some problems. Here are some common problems and their solutions:

• If the checksums don't match, first make sure you're checking the correct file. Also, verify that you've correctly copied the checksum provided by the source.
• Sometimes, file downloads may be incomplete or corrupted due to network problems. If the checksums do not match after the initial check, consider downloading the file again.
• If the checksum command is not recognized, make sure you have the necessary packages installed. The MD5, SHA-1, and SHA-256 utilities are often included with Ubuntu by default, but you may need to install them on some configurations. Use sudo apt-get install coreutils to install them.

Conclusion

Verifying checksums such as MD5, SHA-1, and SHA-256 on Ubuntu is an essential step in maintaining file integrity. It protects you from corrupted downloads and potential security risks. Although simple, this process enhances data security to a great extent. Whenever you download important files or software, make it a habit to verify the checksums and ensure you are getting valid, unaltered data.

  Share This Article

If you find anything wrong with the article content, you can request an update