Written 15-Nov-2021
In the past years, various cryptanalysis have long demonstrated that MD5 checksum could no longer be trusted for verifying files' integrity, where malicious tampering is a concern. SHA-1 checksum is also now considered as marginally secure and couldn't be trusted nilly-willy for every use. While both kind of checksums could still be used fine for checking errors introduced unintentionally; checksums provided for downloadable resources on the Internet are gradually switching to SHA-2 family, usually SHA-256 or SHA-512.
People using legacy or vintage computer systems usually have access limited to older checksum utilities that would only calculate various flavors of CRC, Unix cksum, MD5, and/or SHA-1; meaning they cannot get the security benefits of newer SHA-2 family, or loose the ability to verify downloaded files altogether if the download source no longer provide legacy checksums. As a person who value legacy systems and have access to certain legacy GNU/Linux setup in Linux kernel 2.4 era, I set out to find ways to bring these newer tools to the older systems.
The standard command-line SHA-2 checksum utilities provided on most GNU/Linux setups came from GNU Coreutils project. The earliest readily-downloadable GNU Coreutils version that came with SHA-2 utilities is 6.3 (30-Sep-2006), but it failed to build from source on some systems. This issue appears to be fixed in version 6.10 (22-Jan-2008), so that is the version I tried to build and distribute below.
In each packages listed below,
binaries of all SHA-2 utilities included in GNU Coreutils 6.10 are provided:
sha224,
sha256,
sha384,
sha512
(4 commands total).
Manual page of each command are also included
(4 manual pages total).
Archives are structured for unpacking at filesystem root,
which would install files into /usr
(binaries in /usr/bin and manual pages in /usr/share/man/man1).
Built for i386, links dynamically to system-installed GNU C Library 2.3.6 or compatibles.
| Size: | 231643 bytes (226 KiB) |
|---|---|
| MD5: | ecec7e827b6610d6a726db87387e3437 |
| SHA-1: | 34da4e6f2f32413ebc44153958329e630c4d3ce1 |
| SHA-256: | 3f863b26d058565d2066ec4ef8fbb042406dad6cacd6534bcb8edc7bfbd7a675 |
Built for i386, statically linked with GNU C Library 2.3.6. Only use this if the one above doesn't work.
| Size: | 1207831 bytes (1.15 MiB) |
|---|---|
| MD5: | 4b2d4f465bdf241bcfc40fa28f6e104c |
| SHA-1: | 1a03c7011b56281803d023670099468d1e74689c |
| SHA-256: | 0aba6aa078347b9342c46d8541e50189d64502ded35f8c4a94ed817887474c05 |
The simplest way to install all SHA-2 utilities and associated manual pages, is downloading one of the package listed above, and unpack it at filesystem's root. (Root account is needed to do this) For example, if the first package is downloaded and saved as /tmp/coreutils-6.10_sha2.i386.tgz , the command would be:
tar -C / -xvvzf /tmp/coreutils-6.10_sha2.i386.tgz
If you would like to install only certain binaries
or manual pages,
you can append their path to the end of command line.
For example,
following command is installing only sha256sum and its manual page:
tar -C / -xvvzf /tmp/coreutils-6.10_sha2.i386.tgz usr/bin/sha256sum usr/share/man/man1/sha256sum.1
Of course, installing them to home directory is also possible (no root access required) as these utilities are pretty much standalone; but it would require extracting the package into directory structure that is different from what's provided in the archive. If you have access to a graphical archiver, that would be the easiest way to extract and install.
If you don't however,
and if the Tar utility on your machine
doesn't support GNU --strip option,
the command line can be particularly hideous.
This is an example
if the first package is downloaded
and saved as /tmp/coreutils-6.10_sha2.i386.tgz ,
the command to install that into home directory would be:
( OLDDIR="`pwd`" &&
TMPDIR="`mktemp -d`" &&
cd "$TMPDIR" &&
tar -xvvzf /tmp/coreutils-6.10_sha2.i386.tgz &&
mkdir -p ~/bin &&
mv -vi usr/bin/* ~/bin/ &&
mkdir -p ~/man/man1 &&
mv -vi usr/share/man/man1/* ~/man/man1/ &&
cd "$OLDDIR" &&
rm -rf "$TMPDIR" )
If your Tar utility supports --strip,
the above could be simplified into:
tar -C ~ -xvvzf /tmp/coreutils-6.10_sha2.i386.tgz --strip 1 usr/bin &&
tar -C ~ -xvvzf /tmp/coreutils-6.10_sha2.i386.tgz --strip 2 usr/share/man
These packages are built from gzipped GNU Coreutils 6.10 source tarball (HTTPS, HTTP, FTP) with no modification whatsoever.
| Size: | 9193125 bytes (8.77 MiB) |
|---|---|
| MD5: | eca0de1bf7389694305d7e52cd76a472 |
| SHA-1: | f91f16e999dea6097bf555b467066ac931d584e4 |
| SHA-256: | 1d013547889f20576460249c4210632d5314531c8477378a2e046b13a8ebeb7e |
Following instructions assume you are using GNU/Linux system,
POSIX-compatible shell,
with GNU development toolchains installed
(GNU C Compiler,
GNU Make,
GNU Tar,
GNU Zip),
and the working directory
does not contain any file except the downloaded coreutils-6.10.tar.gz.
(If you plan to copy-paste this into your terminal,
it would be prudent to do it in
,
as it would stop immediately should any step error out)
sh -e
Note that root access is not strictly necessary in building these;
but the packages listed above are actually built using root account,
so that an accurate file owner/group got recorded in the package tarballs
without needing to resort to fakeroot program
(which the build system doesn't have)
or --owner / --group option of more-recent GNU Tar
(which the version in the build system predated them).
tar -xzf coreutils-6.10.tar.gz
cd coreutils-6.10
./configure --prefix=/usr
make -C lib
make -C src sha224sum sha256sum sha384sum sha512sum
mkdir -p ../staging/usr/bin
cp -avi src/sha???sum ../staging/usr/bin/
mkdir -p ../staging/usr/share/man/man1
cp -avi man/sha???sum.1 ../staging/usr/share/man/man1/
cd ../staging
tar -cvvf ../coreutils-6.10_sha2.i386.tar *
cd ..
gzip -c -9 coreutils-6.10_sha2.i386.tar > coreutils-6.10_sha2.i386.tgz
Following these steps would require around 61 MiB of disk space. After it's done, coreutils-6.10 directory, staging directory, and coreutils-6.10_sha2.i386.tar file could be removed.
tar -xzf coreutils-6.10.tar.gz
cd coreutils-6.10
LDFLAGS="-static" ./configure --prefix=/usr
make -C lib
make -C src sha224sum sha256sum sha384sum sha512sum
mkdir -p ../staging/usr/bin
cp -avi src/sha???sum ../staging/usr/bin/
mkdir -p ../staging/usr/share/man/man1
cp -avi man/sha???sum.1 ../staging/usr/share/man/man1/
cd ../staging
tar -cvvf ../coreutils-6.10_sha2.i386.static.tar *
cd ..
gzip -9 -c coreutils-6.10_sha2.i386.static.tar > coreutils-6.10_sha2.i386.static.tgz
Following these steps would require around 68 MiB of disk space. After it's done, coreutils-6.10 directory, staging directory, and coreutils-6.10_sha2.i386.static.tar file could be removed.
Note that the differences between two instructions
are just the value of LDFLAGS environment variable
provided to ./configure program,
and the name of Tar file.
| GNU/Linux Distribution: | ZipSlack Linux 11.0 |
|---|---|
| Architecture: | i386 |
| GNU C Library: | 2.3.6 |
| GNU C Compiler: | 3.4.6 |
| GNU Linker: | 2.15.92.0.2 20040927 |
| GNU Make: | 3.81 |
| GNU Tar: | 1.15.1 |
| GNU Zip: | 1.3.5 |
| Linux Kernel: | 2.4.33.3 |
uname -a: | Linux ZIPSLACK 2.4.33.3 #29 Fri Sep 1 04:55:14 CDT 2006 i686 pentium3 i386 GNU/Linux |
All the packages listed are tested under following systems:
Wheezyi386
These builds are brought to you by ~xwindows. The actual builds were done on 15-Nov-2021.
The relevant section of coreutils-6.10/AUTHORS file
says that the authors of packaged utilities are:
sha224sum: Ulrich Drepper, Scott Miller, David Madore sha256sum: Ulrich Drepper, Scott Miller, David Madore sha384sum: Ulrich Drepper, Scott Miller, David Madore sha512sum: Ulrich Drepper, Scott Miller, David Madore
Copyright notice at the start of coreutils-6.10/src/md5sum.c code says:
/* Compute MD5, SHA1, SHA224, SHA256, SHA384 or SHA512 checksum of files or strings Copyright (C) 1995-2007 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */
The GNU General Public License version 3 could be viewed here.