Checksum different than previously posted online - should it be?


Go to solution Solved by busterrr3x,

Recommended Posts

Last week I downloaded the checksum for armbian20.05.2_Orangepiplus2e_buster_current_5.4.43_desktop.img.xz and checked the checksum that came with the download. The .img checksum downloaded with the image and the checksum I ran were the same. When I check the online checksum here on armbian.com under downloads, sha, TODAY, the checksum is different. 

 

Is there any reason for me to believe that my original checksum and download may have been corrupted? I realize I can just re-download the image now, but whose to say that the one posted now is correct and not the previous one (while maybe both correct/fine)?

 

I know that checksums can change over time, assuming there has been an update or something; read about this somewhere. 

 

Thanks. 

Edited by busterrr3x
Link to post
Share on other sites

Armbian is a community driven open source project. Do you like to contribute your code?

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic. But I will test what I think you may be trying to say. 

 

My guess is that the best thing is to verify the checksum signature.  I thought there was a link on armbian.com for that, but don't seem to be able to find it. 

 

I also recall having some trouble figuring out how to do it. Anyway, could you provide a link for instructions?

Thanks

Link to post
Share on other sites

3 hours ago, busterrr3x said:

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic.

 

Sorry, I mixed but its the same. Replace Bionic with Buster in the URL and try.

 

3 hours ago, busterrr3x said:

My guess is that the best thing is to verify the checksum signature. 

 

First is data integrity checking

https://docs.armbian.com/User-Guide_Getting-Started/#how-to-check-download-integrity

, while signature is authenticity checking - if image was made by us:
https://docs.armbian.com/User-Guide_Getting-Started/#how-to-check-download-authenticity

Link to post
Share on other sites

Thanks Igor. 

 

As for trying to verify the signature - I'm getting closer, but apparently still doing something incorrect. 

 

I have in the same directory: the ".img" and the ".asc", and nothing else. I open a terminal there and then run the following:

 

$ sudo gpg --verify Armbian_20.05.2_Orangepiplus2e_buster_current_5.4.43.img.xz.asc [sudo] password for b:

 

OUTPUT: gpg: no signed data gpg: can't hash datafile: No data 

 

Or is the output for signature telling me the checksum is not valid? 

 

=========================================================================== 

 

DOWNLOADING YOUR PUBLIC KEY: (I don't know why, but your public key almost never downloads/imports; I got lucky importing it once out of many tries; wish I knew why...)

 

# download public key from the database

sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5

 

OUTPUT: sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported gpg: Total number processed: 1 gpg: imported: 1

 

Thanks. 

Edited by busterrr3x
Link to post
Share on other sites

Hi Igor. I loaded the key before anything else, your key ...import, if that's what you mean. 

 

After I import your key with the command line, is there anything else I need to do, such as with my 'key management - KGpg' .... "import keys". 

 

The command said it was imported, but I don't know where to check to see if yours is there; not sure if I'm supposed to be able to see it...?

 

Thanks. 

Edited by busterrr3x
Link to post
Share on other sites

I don't know what you are doing wrong. I just recreated on a clean build:
 

gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

wget https://redirect.armbian.com/odroidn2/Bionic_current_desktop
wget https://redirect.armbian.com/odroidn2/Bionic_current_desktop.asc

gpg --verify Bionic_current_desktop.asc 
gpg: assuming signed data in 'Bionic_current_desktop'

gpg: Signature made tor 01 sep 2020 20:30:24 CEST
gpg:                using RSA key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
gpg: Good signature from "Igor Pecovnik <igor@armbian.com>" [unknown]
gpg:                 aka "Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF00 FAF1 C577 104B 50BF  1D00 93D6 889F 9F0E 78D5

 

Link to post
Share on other sites

8 hours ago, busterrr3x said:

The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. 

 

Thx

TO CLARIFY: actually, the 'formula' ran and gave a typical output whereas before it did not, so that was a success in itself. However, I did get a 'bad signature'. But at least I am now comfortable checking the signature, so it was still a success :)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

0