Seeking a way to do a checksum for img and not for img.xz

[armvsdeb]

I like armbian-debian but don't like that i can only do the checksum for the 'img.xz' and not the actual image. Once i extract the .img from the img.xz, i don't see how i can check the actual .img since there is no checksum for it; even though it is very difficult for malware to get on the .img, it is possible.  I realize that if the .img.xz's checksum is good, then the .img image is good. But once I expose the .img to my computer, if there is malware unknowingly present, then the .img could become infected and I have no way to check it. 

 

My orangepiplus2e is 32-bit. 

 

Thanks

Edited January 14, 2021 by _r9
32-bit

[Werner]

8 minutes ago, armvsdeb said:

Once i extract

Then simply don't? The recommended and supported tools for writing the image to a microSD card can be fed with the compressed image and write it directly.

[Igor]

35 minutes ago, armvsdeb said:

But once I expose the .img to my computer, if there is malware unknowingly present, then the .img could become infected and I have no way to check it. 

Since when its Armbian problem if your computer is infected by malware?

[armvsdeb]

Well, certainly true, but given that everyone's computer might have malware on it, unknowingly, having the checksum for the actual image allows you to check the checksum before and after converting the .img to an actual OS. Good point!

[Heisath]

Is it just me, or did we have the exact same question a few weeks/month ago already?

 

EDIT: Found it! 

 

 

 

[arox]

If you don't trust the machine you used for decompressing image, then use the newly installed machine to download and decompress another time after install and make a diff with the used image - unless you think the compress or diff binary may have been altered to fool you ...

 

You might also think that the checksum utility or the installer have been altered on the installation machine and on decompressed image ... Then, you should install an install machine from scratch (source compile) after visually checking each file and not connect it to any network ...

 

Security is important, but we all tend to alternate between lazy and crazy approach. When I installed X25 (wide area packet network) for the first time on a DEC machine more than 30 years ago, I realized that I offered access to 50 millions of french Minitel users to my systems thru phone network with the automatically configured PAD option (character mode access) and in reverse charge, with the well known privileged accounts used by maintenance (field/service, systest/uetp) which nobody ever changed or recommended to change !

 

Of course, it was a long time ago and nobody could ever imagine it could already exist **maintenance** access on the Internet box you use for DHCP or DNS on your LAN ... I use my box just as a modem behind a firewall and so I trust my installation machine.