Documentation< Previous | Contents | Next >
Relying on the TLS-Protected Website
When you retrieve the checksum from the TLS-protected download webpage, its origin is indi- rectly guaranteed by the X.509 certificate security model: the content you see comes from a web site that is effectively under the control of the person who requested the TLS certificate.
Now you should generate the checksum of your downloaded image and ensure that it matches what you recorded from the Kali website:
$ sha256sum kali-linux-2017.1-amd64.iso
49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d kali-linux-2016.2-amd64.iso
$ sha256sum kali-linux-2017.1-amd64.iso
49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d kali-linux-2016.2-amd64.iso
If your generated checksum matches the one on the Kali Linux download page, you have the cor- rect file. If the checksums differ, there is a problem, although this does not indicate a compromise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try your down- load again, from another official Kali mirror, if possible (see “cdimage.kali.org” [page 14] for more information about available mirrors).