In addition to Gilles answer,
If you still have the ISO image, you could use cmp
instead of checksums. It would tell you at which byte the difference happens. It would also make the check faster as if there is an error early on, it would tell you right away, whereas the checksum always has to read the entire media.
$ cmp /dev/cdrom /path/to/cdrom.iso
In case of error it should print something like this
/dev/cdrom /path/to/cdrom.iso differ, byte 123456789, line 42
In case it's correct it should print nothing, or this:
cmp: EOF on /path/to/cdrom.iso
Which means there is more data on /dev/cdrom
than in the ISO, most likely zero-padding.
Even before starting any comparisons, you could check the size.
$ blockdev --getsize64 /dev/cdrom
123456999
$ stat -c %s /path/to/cdrom.iso
123456789
If it's identical, the checksum should match also. If /dev/cdrom
is larger, it should be zero padded at the end. You could check that with hexdump
. Use the ISO size for the -s
parameter.
$ hexdump -s 15931539256 -C /dev/cdrom
3b597ff38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
3b597fff8 00 00 00 00 00 00 00 00 |........|
hexdump
is also useful for having a look at difference at any other position in a file, in case a damage was caused deliberately by something.
transmission has a tool for that
$ transmission-show debian-stretch-DI-rc1-amd64-netinst.iso.torrent
Name: debian-stretch-DI-rc1-amd64-netinst.iso
File: debian-stretch-DI-rc1-amd64-netinst.iso.torrent
GENERAL
Name: debian-stretch-DI-rc1-amd64-netinst.iso
Hash: 13d51b233d37965a7137dd65858d73c5a2e7ded4
Created by:
Created on: Fri Jan 13 12:29:09 2017
Comment: "Debian CD from cdimage.debian.org"
Piece Count: 1184
Piece Size: 256.0 KiB
Total Size: 310.4 MB
Privacy: Public torrent
TRACKERS
Tier #1
http://bttracker.debian.org:6969/announce
FILES
debian-stretch-DI-rc1-amd64-netinst.iso (310.4 MB)
Another one would be intermodal which besides showing metadata can also create and verify it: https://rodarmor.com/blog/intermodal
Best Answer
You need to verify that the hash matches the downloaded image, and then verify that the hash was signed by an official Debian key - as explained in this blog post.
Verify that the hash matches the image (neither of these commands should print anything):
Verify the hash is properly signed. You'll probably have to do it twice: once to get the key ID, and again after you have downloaded the public key. The command output should look a lot like this:
Verify that the key fingerprint (the last printed line) is legitimate. Ideally, you should do this via a web of trust. However you can check the key fingerprint against the keys listed on Debian's secure web site (HTTPS).