Distros : Prep - Checksums
Checksum commands are a way to verify the integrity of a downloaded file. Server side they are run against a file which creates a finger print of that file. Every finger print is unique so every file checksum is unique. Then the user who downloads the file runs the same checksum command against that file and the checksum should match, if not, there is corruption.
There are many checksum commands and one of the quicker ones to use is md5sum which creates an hexadecimal checksum that is 128 bits long, each number or letter is 4 bits long so the checksum consist of 32 characters a combination of [0-9] and [a-f].
See below what difference a change of case on a single letter makes to a MD5 checksum!!! echo
simply outputs the text but when you redirect the text with a pipe |
to md5sum you get the checksum instead.
$ echo Hello world | md5sum f0ef7081e1539ac00ef5b761b4fb01b3 - $ echo hello world | md5sum 6f5902ac237024bdd0c176cb93063dc4 -
The md5sum help and man pages are thankfully brief and I will shorten it further.
$ md5sum -h Usage: md5sum [OPTION]... [FILE]... Print or check MD5 (128-bit) checksums. -c, --check read MD5 sums from the FILEs and check them --ignore-missing don't fail or report status for missing files The sums are computed as described in RFC 1321. When checking, the input should be a former output of this program.
All Linux Distros have checksums available in some form or other that users can use to verify the files that they download, for example Debian 10, drilling down to their download page for 64bit non-free live installation images with a choice of Desktop Environments: Cinnamon, Gnome, KDE, Lxde, Mate and Xfce.

Each ISO image has .contents, .log and .package text files describing the ISO contents and history. In total there are 28 files, there are also various checksum files MD5SUM and various SHASUM files that you can use to verify any files that you download.
The .sign files such as MD5SUM.sign are Debian's digital signatures that prove ownership of MD5SUM and by extension ownership of all the files checked using MD5SUM (more of that later..)
That's a lot of files, so to create a file that md5sum can use to check all or some of them Debian simply ran md5sum against all their files and saved the output to a text file called MD5SUMS, below is how to run Md5sum against the Cinnamon files and add (> >) the outputs to MD5SUM.
md5sum debian-live-10.9.0-amd64-cinnamon+nonfree.contents >> MD5SUMS md5sum debian-live-10.9.0-amd64-cinnamon+nonfree.iso >> MD5SUMS md5sum debian-live-10.9.0-amd64-cinnamon+nonfree.log >> MD5SUMS md5sum debian-live-10.9.0-amd64-cinnamon+nonfree.packages >> MD5SUMS
This is the part of MD5SUM text file that relates to Cinnamon and Gnome Desktop...
$ cat MD5SUMS bc7d0bc5237a7d84392038c9a9a86b6d debian-live-10.9.0-amd64-cinnamon+nonfree.contents ba3ddb397f2c2d7daba17204a8f42ab9 debian-live-10.9.0-amd64-cinnamon+nonfree.iso 154dcae733508717a4af4fe20b83cda2 debian-live-10.9.0-amd64-cinnamon+nonfree.log 23e55618b7af16fd5b4eceee1d11c73d debian-live-10.9.0-amd64-cinnamon+nonfree.packages bc7d0bc5237a7d84392038c9a9a86b6d debian-live-10.9.0-amd64-gnome+nonfree.contents 42c6c3b03a211c0b1bb6910b6b809080 debian-live-10.9.0-amd64-gnome+nonfree.iso bca142c9d1dd827992fa41435866810b debian-live-10.9.0-amd64-gnome+nonfree.log af1e666ed12960b782119a058f427a5e debian-live-10.9.0-amd64-gnome+nonfree.packages
It ends up being a long text file and if you just downloaded the Live Cinnamon ISO you could, in your web browser, click on MD5SUM to see its contents and scroll down to the cinnamon+nonfree.iso line, then in a terminal cd to your Download folder and run md5sum against it and compare checksums, but there is an easier way.
Download the MD5SUM file as well and any other files you want from that folder, run md5sum with the -c option to verify that the checksums match and the --ignore-missing option so as just to check the files you downloaded and finally the file that md5sum should use to compare the checksums with.
$ md5sum -c --ignore-missing MD5SUMS debian-live-10.9.0-amd64-cinnamon+nonfree.contents: OK debian-live-10.9.0-amd64-cinnamon+nonfree.iso: OK debian-live-10.9.0-amd64-cinnamon+nonfree.log: FAILED (I deleted a character in the .log file, opps) debian-live-10.9.0-amd64-cinnamon+nonfree.packages: OK md5sum: WARNING: 1 computed checksum did NOT match
Now isn't that very handy, no need to stain your eyes making sure every checksum matches!!!
MD5 is perfect and fast for detecting data corruption but when it comes to data security, strong cryptographic hash algorithms such as SHA256 and SHA512 were developed but they take longer to calculate especially with large ISO files. For more read Which checksum algorithm should I use? by Matthew Addis
Debian 10 also used these stronger hash algorithms, (Debian 11 now just uses the sha512sum command.)
- SHA1: 160-bit 80 characters
- SHA256: 256-bit 64 characters
- SHA512: 512-bit 128 characters
Below is part of the SHA512SUM entries for the Xfce Desktop Environment.
7b68e7ef0cd6dbd7bb0137b11c1ee78f5f0be6bef8adb4923c211a1f6067a566681304ec6d9b18a8c97ee2fe7e7870387109884400536df3670dc9fe1e38e938 debian-live-10.9.0-amd64-xfce+nonfree.contents d35dd69af8aaa7086572aa519855e9eed86404e80c0f7e4fa8853c5912d53c98f6760b315ac5d03b79747bc1d146ab1ec378b971fe8cc4092d568a131e55eba0 debian-live-10.9.0-amd64-xfce+nonfree.iso 4c255d778f4678864487033368a78170ba0b663a49aebabb8b4ca67a84497827c23fd0c4b6385826cafd43f37c9bd26bc08d8cd545f5ae2899a407485065fa85 debian-live-10.9.0-amd64-xfce+nonfree.log 0060a09c93e64223d172c99eceab41b20b4cebe0a822965635ec4c69d7003dec942262eaa20379729dedb7a18a6ace1f5b908197dff7df6673ac3b60861aa5d4 debian-live-10.9.0-amd64-xfce+nonfree.packages
The good news is that shasum works the same way as md5sum, I renamed the .log file I messed with so it won't be checked.
$ sha (then Tab) (to see all the shasum commands) sha1sum sha224sum sha256sum sha384sum sha512sum $ sha512sum SHA512SUMS -c --ignore-missing (rearranging the order of the command to see if it would work) debian-live-10.9.0-amd64-cinnamon+nonfree.contents: OK debian-live-10.9.0-amd64-cinnamon+nonfree.iso: OK debian-live-10.9.0-amd64-cinnamon+nonfree.packages: OK And it did :-)
Its important to use checksums to validate your downloaded ISO before you burn, however you need a means of ensuring that the checksum or the ISO is legitimate and comes from the Linux Distribution and hasn't been hacked. So this is where those .sign come in, these are digital signatures for each checksum signed by Debian
To check the MD5SUM file you use the command gpg --verify MD5SUM.sign MD5SUM
to prove that and then do the same for the SHASUM files. First there's a bit of gpg housework to be done but in these days of Hackers and Ransomware its best to be more security savvy.