Results 1 to 14 of 14

Thread: Kali Linux 64 bit SHA-1 Hashes Not Matching

  1. #1
    Join Date
    2015-Oct
    Posts
    3

    Kali Linux 64 bit SHA-1 Hashes Not Matching

    I have donwloaded the ISO from https://www.kali.org/downloads/ 3 times now, and the SHA-1 hash does not match the one listed in the download page or the SHA1SUMS file. Every time I get 41F934CE531D53D7FCF8E45F41F6BCB0EE0ADECF for the SHA-1 hash. Is this a case of bad documentation or am I getting an intercepted download? Trying the torrent download now.

  2. #2
    Which Kali x64 are you downloading? Normal or light?

    If you are having issues downloading via HTTP, torrents are highly recommended.
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: https://tools.kali.org/

  3. #3
    Quote Originally Posted by g0tmi1k View Post
    Which Kali x64 are you downloading? Normal or light?

    If you are having issues downloading via HTTP, torrents are highly recommended.

    I have the same issue with the 32bit system as well. Key generated on kali-linux-2.0-i386.txt.sha1sum did not match, I am getting a "kali-linux-2.0-i386.iso: FAILED" message.

  4. #4
    I am having the same issue, I have downloaded Kali Linux 64 bit via torrent multiple times over the past few days and continue to get a bad signature error....

    gpg --verify SHA1SUMS.gpg kali-linux-2.0-amd64.txt.sha1sum
    gpg: Signature made Tue 11 Aug 2015 06:35:26 AM PDT using RSA key ID 7D8D0BF6
    gpg: BAD signature from "Kali Linux Repository <devel@kali.org>"


    I assume I am doing something wrong but I have no idea.....

  5. #5
    Join Date
    2015-Nov
    Posts
    10
    I have the same problem here checking the amd64 version. The checksum is 89001717ced95eb84597dd31bc59993ab90bbbb6

  6. #6
    Join Date
    2015-Nov
    Posts
    10
    Does nobody know the reason for that mismatch?

  7. #7
    Join Date
    2015-Jul
    Location
    /home/duxim
    Posts
    408
    Quote Originally Posted by tur-ing View Post
    Does nobody know the reason for that mismatch?
    The reason is irrelevant. It could be anything.
    You have to download proper iso img in order to install Kali and for that use torrtent rather then direct iso.
    if you need, try to download 2,3,4,5... times to get good iso img with verified md5 and sha1.
    Repetitio est mater studiorum

  8. #8
    Join Date
    2015-Nov
    Posts
    3
    Quote Originally Posted by duxim View Post
    The reason is irrelevant. It could be anything.
    You have to download proper iso img in order to install Kali and for that use torrtent rather then direct iso.
    I've been watching this thread for a while, and signed up to seek clarification on the same issue as others are having regarding the hashes & signature.
    Please excuse my confusion, I thought the entire focus of Kali Linux is security, yet the official ISO images should be treated as insecure (from advice in the official installation guide about the hashes / signature)???
    What I did:
    1. Kali's official GPG key was downloaded and verified:
    pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
    Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
    uid Kali Linux Repository <devel@kali.org>
    sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]


    2. I then downloaded the torrent using the official link from kali.org for 64bit: http://images.kali.org/kali-linux-2.0-amd64.torrent
    This download has TWO files (not the expected THREE) kali-linux-2.0-amd64.iso, kali-linux-2.0-amd64.txt.sha1sum (There is no kali-linux-2.0-amd64.txt.sha1sum.gpg)

    3. SHA1 sum check of the ISO (kali-linux-2.0-amd64.iso) matches the SHA1 text file generated when the download is initiated (kali-linux-2.0-amd64.txt.sha1sum)
    $ shasum kali-linux-2.0-amd64.iso
    aaeb89a78f155377282f81a785aa1b38ee5f8ba0 kali-linux-2.0-amd64.iso
    $ cat kali-linux-2.0-amd64.txt.sha1sum
    aaeb89a78f155377282f81a785aa1b38ee5f8ba0 kali-linux-2.0-amd64.iso

    This match proves that what I downloaded is what was sent, and it was not tampered in transit.

    4. Using the SHA1SUMS.gpg from the Kali Download Server http://kali.muzzy.org.uk/kali-images/kali-2.0/SHA1SUMS.gpg
    $gpg --verify SHA1SUMS.gpg kali-linux-2.0-amd64.txt.sha1sum
    gpg: Signature made Tue 11 Aug 2015 14:35:26 BST using RSA key ID 7D8D0BF6
    gpg: BAD signature from "Kali Linux Repository <devel@kali.org>"

    A BAD signature indicates that the SHA1 hash in the file kali-linux-2.0-amd64.txt.sha1sum was not signed by Kali developers, and thus the ISO is not made by them.

    Conclusion
    I believe the BAD signature is because SHA1SUMS.gpg is a signed version of SHA1SUMS which contains ALL the ISO hashes, and there is no SHA1SUMS.gpg for each ISO -which is what I'm thinking is needed, right?
    QUESTION: Where can I obtain kali-linux-2.0-amd64.txt.sha1sum.gpg to verify the downloaded ISO?

    P.S. The sticky post about hashes seems outdated? https://forums.kali.org/showthread.p...x-SHA-1-Hashes
    Last edited by Talin; 2015-11-28 at 10:32.

  9. #9
    Join Date
    2015-Nov
    Posts
    3

    Question

    ..In addition to my last post...

    As the downloaded hash "aaeb89a78f155377282f81a785aa1b38ee5f8ba0 kali-linux-2.0-amd64.iso" in file kali-linux-2.0-amd64.txt.sha1sum
    matches the first line of the SHA1SUMS file (found on the Kali Download server http://cdimage.kali.org/kali-2.0/ )
    I could prove the ISO is OK if I verify SHA1SUMS with the signature SHA1SUMS.gpg.

    SHA1SUMS.gpg is signed by Kali developers, so if it agrees with SHA1SUMS, and SHA1SUMS contains the same hash as the downloaded ISO - I'd prove the ISO is valid.
    However this is the result:
    $gpg --verify SHA1SUMS.gpg SHA1SUMS
    gpg: Signature made Tue 11 Aug 2015 14:35:26 BST using RSA key ID 7D8D0BF6
    gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.

    Primary key fingerprint: 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6

    So this method doesn't work either?

    Edit: Further reading around seems to suggest this may be the most trust that can be determined for the ISO without extended use of the gpg program to build a ring of trust.
    In the output of the last command the "Primary key fingerprint" matches that of Kali's GPG key, the "Good signature" is for an @kali.org email address, and the SHA1SUMS files were downloaded from the Kali Download server. All these points would require undetected simultaneous compromise to invalidate the ISO.
    Therefore, to a reasonable degree - the ISO can be taken as valid.
    QED.
    Last edited by Talin; 2015-11-27 at 22:13.

  10. #10
    Join Date
    2015-Nov
    Posts
    2
    I downloaded the same iso today with perfect SHA1. packet loss on your line/ISP maybe?

  11. #11
    Join Date
    2015-Nov
    Posts
    2
    When I tried to download the 64 bit ISO today I got redirected from Kali's downlad page to kali.muzzy.org.uk which was blocked by - not sure if this page is ligit or not.

  12. #12
    Join Date
    2015-Nov
    Posts
    2
    An update
    The direct download link from Kali's download page goes to http://kali.muzzy.org.uk/kali-images...-2.0-amd64.iso
    My AV which blocks that page
    I've since done a bit of searching and found that muzzy.org.uk is an official mirror (see http://security.kali.org/README.mirrorlist) but that it's listed by VirusTotal (https://www.virustotal.com/ru/domain...k/information/) which may be why my AV is blocking it.
    So, probably nothing to worry about.

  13. #13
    Join Date
    2015-Dec
    Posts
    1
    Is there somebody who successfully verified SHA1SUMS.gpg signature on Windows? I have downloaded iso, SHA1SUMS and SHA1SUMS.gpg, then imported key into gpg4win under key ID: 7D8D0BF6. Then I checked fingerprint of key: 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6. Finally I opened SHA1SUMS.gpg in GNU Clipboard and tried to verify the signature,but I got key status: bad. Am I doing something wrong?
    I also tried to compare calculated iso SHA1 hash with SHA1SUMS file and these values are same, so I have "just" problem with signature / key.

  14. #14
    Join Date
    2015-Nov
    Posts
    3
    Check if you are having the same issue as I did? See the error messages I included in my earlier post.
    I used Linux, but the platform (Windows / Linux) shouldn't have an impact on the verification.

    I got a bad signature when trying to compare the SHA1SUMS.gpg with the iso SHA1 hash (for reasons I explained).
    So I compared the SHA1SUMS with SHA1SUMS.gpg, since the iso SHA1 hash matched the first line of the SHA1SUMS file.

Similar Threads

  1. Kali Linux SHA-256 Hashes
    By g0tmi1k in forum Installing Kali Linux
    Replies: 18
    Last Post: 2021-09-14, 16:12
  2. Kali Linux SHA-1 Hashes
    By g0tmi1k in forum Installing Archive
    Replies: 18
    Last Post: 2018-04-30, 23:23
  3. Help with MacBook EFI hashes
    By Cyb3rg0d in forum General Archive
    Replies: 0
    Last Post: 2015-01-01, 19:34
  4. Getting passwords from hashes
    By fallingstar in forum General Archive
    Replies: 0
    Last Post: 2014-02-19, 23:38

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •