You just downloaded an ISO image of your favorite Linux distribution from the official site or a third party site, now what? Create bootable medium and start installing the OS? No, wait. Before start using it, It is highly recommended to verify that the downloaded ISO in your local system is the exact copy of the ISO present in the download mirrors. Because, Linux Mint's website is hacked few years ago and the hackers made a modified Linux Mint ISO, with a backdoor in it. So, It is important to check the authenticity and integrity of your Linux ISO images. If you don't know how to verify ISO images in Linux, this brief guide will help. Read on!
Verify ISO Images In Linux
We can verify ISO images using the Checksum values. Checksum is a sequence of letters and numbers used to check data for errors and verify the authenticity and integrity of the downloaded files. There are different types of checksums, such as SHA-0, SHA-1, SHA-2 (224, 256, 384, 512) and MD5. MD5 sums have been the most popular, but nowadays SHA-256 sums are mostly used by modern Linux distros.
We are going to use two tools namely "gpg" and "sha256" to verify authenticity and integrity of the ISO images.
Download checksums and signatures
For the purpose of this guide, I am going to use Ubuntu 18.04 LTS server ISO image. However, the steps given below should work on other Linux distributions as well.
Near the top of the Ubuntu download page, you will see a few extra files (checksums and signatures) as shown in the following picture.
Here, the SHA256SUMS file contains checksums for all the available images and the SHA256SUMS.gpg file is the GnuPG signature for that file. We use this signature file to verify the checksum file in subsequent steps.
Download the Ubuntu ISO images and these two files and put them all in a directory, for example ISO.
$ ls ISO/ SHA256SUMS SHA256SUMS.gpg ubuntu-18.04.2-live-server-amd64.iso
As you see in the above output, I have downloaded Ubuntu 18.04.2 LTS server image along with checksum and signature values.
Download valid signature key
Now, download the correct signature key using command:
$ gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: 57 signatures not checked due to missing keys gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <email@example.com>" imported gpg: key 46181433FBB75451: 105 signatures not checked due to missing keys gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <firstname.lastname@example.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2
Verify SHA-256 checksum
Next verify the checksum file using the signature with command:
$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Friday 15 February 2019 04:23:33 AM IST gpg: using DSA key 46181433FBB75451 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451 gpg: Signature made Friday 15 February 2019 04:23:33 AM IST gpg: using RSA key D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
If you see "Good signature" in the output,the checksum file is created by Ubuntu developer and signed by the owner of the key file.
Check the downloaded ISO file
Next, let us go ahead and check the downloaded ISO file matches the checksum. To do so, simply run:
$ sha256sum -c SHA256SUMS 2>&1 | grep OK ubuntu-18.04.2-live-server-amd64.iso: OK
If the checksum values are matched, you will see the "OK" message. Meaning - the downloaded file is legitimate and hasn't altered or tampered.
If you don't get any output or different than above output, the ISO file has been modified or incorrectly downloaded. You must re-download the file again from a good source.
Some Linux distributions have included the checksum value in the download page itself. For example, Pop!_os developers have provided the SHA-256 checksum values for all ISO images in the download page itself, so you can quickly verify the ISO images.
After downloading the the ISO image, verify it using command:
$ sha256sum Soft_backup/ISOs/pop-os_18.04_amd64_intel_54.iso
Here, the random string starting with "680elaa..." is the SHA-256 checksum value. Compare this value with the SHA-256 sum value provided on the downloads page. If both values are same, you're good to go! The downloaded ISO file is legitimate and it hasn't changed or modified from its original state.
This is how we can verify the authenticity and integrity of an ISO file in Linux. Whether you download ISOs from official or third-party sources, it is always recommended to do a quick verification before using them. Hope this was useful.