如何在Linux中验证ISO镜像
你从喜爱的 Linux 发行版的官方网站或第三方网站下载了它的 ISO 镜像之后,接下来要做什么呢?是创建可启动介质并开始安装系统吗?并不是,请稍等一下。在开始使用它之前,强烈建议你检查一下你刚下载到本地系统中的 ISO 文件是否是下载镜像站点中 ISO 文件的一个精确拷贝。因为在前几年 Linux Mint 的网站被攻破了,并且攻击者创建了一个包含后门的经过修改的 Linux Mint ISO 文件。 所以验证下载的 Linux ISO 镜像的可靠性和完整性是非常重要的一件事儿。假如你不知道如何在 Linux 中验证 ISO 镜像,本次的简要介绍将给予你帮助,请接着往下看!
在 Linux 中验证 ISO 镜像
我们可以使用 ISO 镜像的“校验和”来验证 ISO 镜像。校验和是一系列字母和数字的组合,用来检验下载文件的数据是否有错以及验证其可靠性和完整性。当前存在不同类型的校验和,例如 SHA-0、SHA-1、SHA-2(224、256、384、512)和 MD5。MD5 校验和最为常用,但对于现代的 Linux 发行版,SHA-256 最常被使用。
我们将使用名为 gpg
和 sha256
的两个工具来验证 ISO 镜像的可靠性和完整性。
下载校验和及签名
针对本篇指南的目的,我将使用 Ubuntu 18.04 LTS 服务器 ISO 镜像来做验证,但对于其他的 Linux 发行版应该也是适用的。
在靠近 Ubuntu 下载页的最上端,你将看到一些额外的文件(校验和及签名),正如下面展示的图片那样:
Ubuntu 18.04 的校验和及签名
其中名为 SHA256SUMS
的文件包含了这里所有可获取镜像的校验和,而 SHA256SUMS.gpg
文件则是这个文件的 GnuPG 签名。在下面的步骤中,我们将使用这个签名文件来 验证 校验和文件。
下载 Ubuntu 的 ISO 镜像文件以及刚才提到的那两个文件,然后将它们放到同一目录下,例如这里的 ISO
目录:
<span class="pln">$ </span><span class="kwd">ls</span><span class="pln"> ISO</span><span class="pun">/</span>
<span class="pln">SHA256SUMS SHA256SUMS</span><span class="pun">.</span><span class="pln">gpg ubuntu</span><span class="pun">-</span><span class="lit">18.04</span><span class="pun">.</span><span class="lit">2</span><span class="pun">-</span><span class="pln">live</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">amd64</span><span class="pun">.</span><span class="pln">iso</span>
如你所见,我已经下载了 Ubuntu 18.04.2 LTS 服务器版本的镜像,以及对应的校验和文件和签名文件。
下载有效的签名秘钥
现在,使用下面的命令来下载正确的签名秘钥:
<span class="pln">$ gpg </span><span class="pun">--</span><span class="pln">keyid</span><span class="pun">-</span><span class="pln">format </span><span class="kwd">long</span><span class="pln"> </span><span class="pun">--</span><span class="pln">keyserver hkp</span><span class="pun">:</span><span class="com">//keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092</span>
示例输出如下:
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> key D94AA3F0EFE21092</span><span class="pun">:</span><span class="pln"> </span><span class="lit">57</span><span class="pln"> signatures </span><span class="kwd">not</span><span class="pln"> checked due to missing keys</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> key D94AA3F0EFE21092</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">public</span><span class="pln"> key </span><span class="str">"Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>"</span><span class="pln"> imported</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> key </span><span class="lit">46181433FBB75451</span><span class="pun">:</span><span class="pln"> </span><span class="lit">105</span><span class="pln"> signatures </span><span class="kwd">not</span><span class="pln"> checked due to missing keys</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> key </span><span class="lit">46181433FBB75451</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">public</span><span class="pln"> key </span><span class="str">"Ubuntu CD Image Automatic Signing Key <[email protected]>"</span><span class="pln"> imported</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">no</span><span class="pln"> ultimately trusted keys found</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Total</span><span class="pln"> number processed</span><span class="pun">:</span><span class="pln"> </span><span class="lit">2</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> imported</span><span class="pun">:</span><span class="pln"> </span><span class="lit">2</span>
验证 SHA-256 校验和
接下来我们将使用签名来验证校验和文件:
<span class="pln">$ gpg </span><span class="pun">--</span><span class="pln">keyid</span><span class="pun">-</span><span class="pln">format </span><span class="kwd">long</span><span class="pln"> </span><span class="pun">--</span><span class="pln">verify SHA256SUMS</span><span class="pun">.</span><span class="pln">gpg SHA256SUMS</span>
下面是示例输出:
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Signature</span><span class="pln"> made </span><span class="typ">Friday</span><span class="pln"> </span><span class="lit">15</span><span class="pln"> </span><span class="typ">February</span><span class="pln"> </span><span class="lit">2019</span><span class="pln"> </span><span class="lit">04</span><span class="pun">:</span><span class="lit">23</span><span class="pun">:</span><span class="lit">33</span><span class="pln"> AM IST</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">using</span><span class="pln"> DSA key </span><span class="lit">46181433FBB75451</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Good</span><span class="pln"> signature </span><span class="kwd">from</span><span class="pln"> </span><span class="str">"Ubuntu CD Image Automatic Signing Key <[email protected]>"</span><span class="pln"> </span><span class="pun">[</span><span class="pln">unknown</span><span class="pun">]</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> WARNING</span><span class="pun">:</span><span class="pln"> </span><span class="typ">This</span><span class="pln"> key </span><span class="kwd">is</span><span class="pln"> </span><span class="kwd">not</span><span class="pln"> certified </span><span class="kwd">with</span><span class="pln"> a trusted signature</span><span class="pun">!</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">There</span><span class="pln"> </span><span class="kwd">is</span><span class="pln"> </span><span class="kwd">no</span><span class="pln"> indication that the signature belongs to the owner</span><span class="pun">.</span>
<span class="typ">Primary</span><span class="pln"> key fingerprint</span><span class="pun">:</span><span class="pln"> C598 </span><span class="lit">6B4F</span><span class="pln"> </span><span class="lit">1257</span><span class="pln"> FFA8 </span><span class="lit">6632</span><span class="pln"> CBA7 </span><span class="lit">4618</span><span class="pln"> </span><span class="lit">1433</span><span class="pln"> FBB7 </span><span class="lit">5451</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Signature</span><span class="pln"> made </span><span class="typ">Friday</span><span class="pln"> </span><span class="lit">15</span><span class="pln"> </span><span class="typ">February</span><span class="pln"> </span><span class="lit">2019</span><span class="pln"> </span><span class="lit">04</span><span class="pun">:</span><span class="lit">23</span><span class="pun">:</span><span class="lit">33</span><span class="pln"> AM IST</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="kwd">using</span><span class="pln"> RSA key D94AA3F0EFE21092</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Good</span><span class="pln"> signature </span><span class="kwd">from</span><span class="pln"> </span><span class="str">"Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>"</span><span class="pln"> </span><span class="pun">[</span><span class="pln">unknown</span><span class="pun">]</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> WARNING</span><span class="pun">:</span><span class="pln"> </span><span class="typ">This</span><span class="pln"> key </span><span class="kwd">is</span><span class="pln"> </span><span class="kwd">not</span><span class="pln"> certified </span><span class="kwd">with</span><span class="pln"> a trusted signature</span><span class="pun">!</span>
<span class="pln">gpg</span><span class="pun">:</span><span class="pln"> </span><span class="typ">There</span><span class="pln"> </span><span class="kwd">is</span><span class="pln"> </span><span class="kwd">no</span><span class="pln"> indication that the signature belongs to the owner</span><span class="pun">.</span>
<span class="typ">Primary</span><span class="pln"> key fingerprint</span><span class="pun">:</span><span class="pln"> </span><span class="lit">8439</span><span class="pln"> </span><span class="lit">38DF</span><span class="pln"> </span><span class="lit">228D</span><span class="pln"> </span><span class="lit">22F7</span><span class="pln"> B374 </span><span class="lit">2BC0</span><span class="pln"> D94A A3F0 EFE2 </span><span class="lit">1092</span>
假如你在输出中看到 Good signature
字样,那么该校验和文件便是由 Ubuntu 开发者制作的,并且由秘钥文件的所属者签名认证。
检验下载的 ISO 文件
下面让我们继续检查下载的 ISO 文件是否和所给的校验和相匹配。为了达到该目的,只需要运行:
<span class="pln">$ sha256sum </span><span class="pun">-</span><span class="pln">c SHA256SUMS </span><span class="lit">2</span><span class="pun">>&</span><span class="lit">1</span><span class="pln"> </span><span class="pun">|</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> OK</span>
<span class="pln">ubuntu</span><span class="pun">-</span><span class="lit">18.04</span><span class="pun">.</span><span class="lit">2</span><span class="pun">-</span><span class="pln">live</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">amd64</span><span class="pun">.</span><span class="pln">iso</span><span class="pun">:</span><span class="pln"> OK</span>
假如校验和是匹配的,你将看到 OK
字样,这意味着下载的文件是合法的,没有被改变或篡改过。
假如你没有获得类似的输出,或者看到不同的输出,则该 ISO 文件可能已经被修改过或者没有被正确地下载。你必须从一个更好的下载源重新下载该文件。
某些 Linux 发行版已经在它的下载页面中包含了校验和。例如 Pop!_os 的开发者在他们的下载页面中提供了所有 ISO 镜像的 SHA-256 校验和,这样你就可以快速地验证这些 ISO 镜像。
Pop os 位于其下载页面中的 SHA256 校验和
在下载完 ISO 镜像文件后,可以使用下面的命令来验证它们:
<span class="pln">$ sha256sum </span><span class="typ">Soft_backup</span><span class="pun">/</span><span class="typ">ISOs</span><span class="pun">/</span><span class="pln">pop</span><span class="pun">-</span><span class="pln">os_18</span><span class="pun">.</span><span class="lit">04</span><span class="pln">_amd64_intel_54</span><span class="pun">.</span><span class="pln">iso</span>
示例输出如下:
<span class="lit">680e1aa5a76c86843750e8120e2e50c2787973343430956b5cbe275d3ec228a6</span><span class="pln"> </span><span class="typ">Soft_backup</span><span class="pun">/</span><span class="typ">ISOs</span><span class="pun">/</span><span class="pln">pop</span><span class="pun">-</span><span class="pln">os_18</span><span class="pun">.</span><span class="lit">04</span><span class="pln">_amd64_intel_54</span><span class="pun">.</span><span class="pln">iso</span>
Pop os 的 SHA256 校验和的值
在上面的输出中,以 680elaa
开头的部分为 SHA-256 校验和的值。请将该值与位于下载页面中提供的 SHA-256 校验和的值进行比较,如果这两个值相同,那说明这个下载的 ISO 文件是合法的,与它的原有状态相比没有经过更改或者篡改。万事俱备,你可以进行下一步了!