How to verify a Linux ISO image before installing it

Checksums and signatures are as important as the Linux ISO file itself when you want to make sure your OS is not corrupted or was not illegally modified.

Most of the popular Linux distro includes extra files such as checksums and signatures when you download their ISO files. These are often ignored during download. While this is not a problem for the majority of users, some users typically those having an unreliable and slow internet connection, may run into a corrupted download.

Making use of the corrupted ISO images for installation can cause an unstable PC or in worst cases, an inoperable PC too. Hence, I suggest to first authenticate the ISO image before installing it.

Lately, in 2007, the Linux Minit official website was hacked. The hackers placed a modified ISO, which included a backdoor malicious file. Thankfully, the issue was solved quickly, but this shows us the importance of verifying the downloaded ISO files before installing them. Hence this tutorial.

Verifying Linux ISO checksum

Before starting our installation, you need to make sure that your Ubuntu system is up-to-date by using the following two commands:

sudo apt update
sudo apt upgrade

Step 1. By default, the Coreutils and GnuPG packages are pre-installed on Ubuntu. So we need to make sure that both md5sum and gpg are working correctly.

md5sum --version

Md5sum Version On Ubuntu
Md5sum Version On Ubuntu

gpg --version

Gpg Version On Ubuntu
Gpg Version On Ubuntu

Step 2. Next, we need to download “SHA256SUMS” and “SHA256SUMS.gpg”, both files can be found alongside the original ISO files from the official Ubuntu website.

Go to the Ubuntu official website (Click here!!).

Ubuntu Official Website
Ubuntu Official Website

Now search for the ISO you need to download, then you will find the previous files too, as you can see in the below screenshot.

Select Check-sums File
Select Check-sums File

Note: Press the file to download it, or you can easily right-click on it and choose to save link as. Please DO NOT copy the file content into a text file and use it because that will not work correctly.

Step 3. Now we need to check if we will need to get a public key or not. So we will run the next command to find out.

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Check Public Key For Ubuntu Already Present
Check Public Key For Ubuntu Already Present

As you can see in the above screenshot, there is no public key found. Also, this output message tells you the keys used to generate the signature file. The keys are (46181433FBB75451 and D94AA3F0EFE21092).

Step 4. To get the public keys, you can use the next command along with the previous keys.

gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092

Public Key Retrieved
Public Key Retrieved

Step 5. Check the key fingerprints by using the next command.

gpg --keyid-format long --list-keys --with-fingerprint 0x46181433FBB75451 0xD94AA3F0EFE21092

Request ID From The Ubuntu Key Server.
Request ID From The Ubuntu Key Server.

Step 6. Now you can verify the checksum file again.

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Verify The Checksum File Using The Signature
Verify The Checksum File Using The Signature

As you can see in the above screenshot, a good signature means that the files that were checked were for sure signed by the owner of the obtained key file. If a lousy signature was detected, then this means that the files did not match, and the signature is a bad one.

Step 7. Now let’s check the generated sha256 checksum for the downloaded ISO and compare it with the downloaded one in the SHA256SUM file.

sha256sum -c SHA256SUMS 2>&1 | grep OK

The output should look like the below screenshot:

Check The Ubuntu ISO
Check The Ubuntu ISO

As you can see, this means that your ISO matches the checksum file. Now you can proceed and use the downloaded ISO safely with no fear that it has been altered or downloaded incorrectly.

Hend Adel
Hi! I'm Hend Adel, a freelancer technical geek with successful experience in Database, Linux and many other IT fields. I help to build solutions to suit business needs and creating streamlined processes. I love Linux and I'm here to share my skills via FOSS Linux! Thanks for reading my article.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

23,953FansLike
248FollowersFollow
16SubscribersSubscribe

LATEST ARTICLES

notepad alternatives linux
Notepad++ has been the de facto standard for source code editors for nearly 16 years, almost since its creation in 2003.  For Windows users, that is.  For years, Linux users had no source code editor that compared to Notepad++ with all its bells and whistles, such as code folding, scripting, markup languages, syntax highlighting, auto-completion for programming (limited).
apt_vs_apt-get
Most Linux users, both veterans, and newbies, often get confused about what the difference between the Linux commands apt, and apt-get are and when they should use one or the other.