11

Every time I download Raspbian (last time Raspbian Stretch with desktop) I try to verify SHA256. However, every time the result is different from the one on the website, although I am quite sure the download was successful and without manipulation.

Why is that? Am I calculating in a wrong way?

The last time I generated the sha256 on OSX with the command shasum -a 256 2018-06-27-raspbian-stretch.img

Francesco Boi
  • 603
  • 2
  • 7
  • 19
  • 4
    side note - "I am quite sure the download was successful and without manipulation." - no you aren't. – user253751 Sep 18 '18 at 00:20
  • 3
    If you're getting the hash from the same channel as the file it claims to verify, it's actually only a checksum (detecting accidental corruption). An attacker that could replace the image could also modify the hash to match. – Jeffrey Bosboom Sep 18 '18 at 02:10
  • 1
    @immibis No you are right I am not in one particular occasion, but if everytime the sha256 does not correspond is more likely something is not right in how I am calculating it rather than me being attacked on every download I do in different situations with different networks and different everything....At least I think so otherwise I would have to think I am under attack every time but I am not that paranoid – Francesco Boi Sep 18 '18 at 08:35

1 Answers1

33

The SHA-256 checksum on the downloads page is for the ZIP file, not the IMG file.

Dirk
  • 3,541
  • 3
  • 18
  • 25
  • It confused me because it seems OSX extract directly the zip file so I did not get it was downloaded as zip. – Francesco Boi Sep 17 '18 at 16:19
  • You'll find the .zip file is there in the parent folder of the location the contents were extracted to. This took me a while to get used to, too. :) – Jules Sep 17 '18 at 16:30
  • 12
    Sidenote: Provided checksums are in general directly for the downloaded file, not for any files inside a downloaded archive/container. – Michael Pittino Sep 17 '18 at 17:56