Verifying secure hash on Mac OS X

I decided to upgrade Linux on my dev box this weekend. The upgrade crashed in the middle.

Argh!

The DVD burn was done on my Powerbook and verified fine. Maybe it was a bad download?


Linux distributions usually have a text file containing a special number called a checksum which can verify that every bit on the download was correct.1 Reading the text file, it appears that the hash used to verify Fedora’s download is an algorithm called Secure Hash 1 (SHA1):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2f151a7329846da685c2a72fcb40eba3e8a355a0  FC4-i386-DVD.iso
aa82f4be0be901777537b6ad0906c4f3c2d84bc3  FC4-i386-SRPMS-disc1.iso
…

To verify this, you need to run sha1sum which isn’t installed by default. Use Fink (via Fink Commander) to install textutils. Then open the Terminal (located in the Utilities folder: Cmd-Shift-U) and run it.

$ sha1sum FC4-i386-DVD.iso
1c2ebfbc0d76963f4abfd2f5277531651302234c  FC4-i386-DVD.iso

(The “$” is part of the prompt. The second word is the filename. To get to it easily navigate to the file in finder and just drag it to the Terminal window, the Mac will do the rest.) Notice it doesn’t match.

Argh!

I downloaded Bits on Wheels (nice interface) and the the Fedora Core 4 x86 DVD torrent. Set Bits on Wheel up, open the torrent, quit it (it will have created a directory somewhere for the download), overwrite the iso file with my broken one, and restart Bits on Wheels. This is a nice way of getting the bad bits fixed without going through a complete download. The torrent file will help Bits on Wheels isolate which blocks are bad and redownload only them.

$ sha1sum FC4-i386-DVD.iso
2f151a7329846da685c2a72fcb40eba3e8a355a0  FC4-i386-DVD.iso

Sweet!

It turns out I burned it on a DVD-RW, Caitlin once bought to do backups. Erase and re-burn and install. Upgrade complete.

Sweet!

1 Your Mac OS X Software Update uses a similar checksum. In both cases the checksum file is digitally signed2 with a private key (owned by Red Hat in the case of Fedora and owned by Apple in the case of Software Update). This allows your Mac to make sure nobody has tampered with the download since Software Update can verify the checksum file hasn’t been tampered with using the public key Apple has installed on your computer and use this file to verify that the software downloaded.
2 Digital signatures are a special sort of checksum. The special property is they can be signed when combined one sort of data (a “private key”) and verified when combined a different sort of data (a “public key”). The two sorts of data form a pair in which one part of the pair can be safely distributed publicly as long as the other part of the pair is kept secure and private.

Leave a Reply

Your email address will not be published. Required fields are marked *