4

I am following instructions as shown here

  • Operating Windows 7, so have downloaded GPG4WIN.
  • Next instruction: is to enter this command: $ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
  • So, newbie here, ...am I to enter that into Command Prompt? When I do I get error message: '$' is not recognized as an internal or external command, operable program or batch file.
miniBill
  • 335
  • 1
  • 8
Joel
  • 65
  • 1
  • 1
  • 5

2 Answers2

3

The verification steps assume that you are already using Linux. As you're using Windows, you'll need to follow the manual verification steps from the Kali download page.

To run a SHA1 checksum on Windows, download and install Microsoft's checksum app. Per this page, run it with the command:

fciv.exe -sha1 kali-linux-1.1.0-amd64.iso

Then compare the checksum by hand with what's on the Kali download page.

Update: 02 July 2017 Kali is now using SHA256 which is not supported by fciv. You can use PowerShell as suggested by @Rоry McCune in the comments. The syntax is

Get-FileHash kali-linux-2017.1-amd64.iso -Algorithm sha256

You may need to change the filename if you are using a different version of Kali.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Neil Smithline
  • 14,842
  • 4
  • 39
  • 55
  • Wow, Neil, thanks. Eureka! It worked for the SHA1sum just as you directed. Am I correct in thinking that MD5 is an equivalent method utilizing a different (MD5) protocol? – Joel Jul 19 '15 at 19:08
  • FWIW, you can also use the Get-Filehash powershell cmdlet for this http://technet.microsoft.com/en-us/library/dn520872.aspx – Rory McCune Jul 19 '15 at 19:32
  • MD5 and SHA1 are not "protocols", they are mathematical algorithms. Cryptographic hash algorithms to be specific. They have specific properties (see the link) that makes them good for detecting changes in data files such as an ISO. – Neil Smithline Jul 19 '15 at 20:02
  • @NeilSmithline with the proposed fciv I get a completely different hash produced than on the download page - does it mean, i should not use the image then? Is there a work-around? – Aliakbar Ahmadi Jul 01 '17 at 13:47
  • 1
    @AliakbarAhmadi - It means that you shouldn't use it as is stated on the Kali download page. I've updated my answer. – Neil Smithline Jul 02 '17 at 20:28
1

How is ISO verification done with kleopatra on Windows?

For example it worked in qubes-OS: https://www.qubes-os.org/downloads/

But dont know how to check with Kali.iso as example for 2017.3 version

http://cdimage.kali.org/kali-2017.3/
#1- downloaded the SHA256SUMS and SHA256SUMS.gpg files from here

And Kali downloaded over torrent has these files:

#2- kali-linux-2017.3-amd64.iso
#3- kali-linux-2017.3-amd64.txt.sha256sum

Now I added the .asc File --> downloaded these file:

https://www.kali.org/archive-key.asc
...and verify that the displayed fingerprint matches the one below 7D8D0BF6


And verifying works with SHA256SUMS.gpg from point #1
but got an error with the checksum downloaded from torrent #2

Tutorial from here: "https://www.howtogeek.com/246332/how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with/"

Solved:

  1. Doing it by hand with, select .iso file -> Right Click -> CRC-SHA (coming by 7zip) -> SHA-256 (pressed)
  2. Wait a bit until Checksum Information shows: 395bc0af107806e5bf06edc6ac4af1f96caaf04f465831abf2f33ce51b73968d
  3. check it by opening the file #1 CHA256SUMS in Editor or Notepad++
  4. In the File you see: 395bc0af107806e5bf06edc6ac4af1f96caaf04f465831abf2f33ce51b73968d kali-linux-2017.3-amd64.iso

So it's the same.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Amelie
  • 21
  • 1