Verifying ISO images is an essential step to ensure the integrity and authenticity of downloaded files, especially for Linux distributions. The process involves checking the hash value or digital signature of the downloaded ISO against the known legitimate value provided by the distribution's official website. In this guide, I will explain how to verify ISO images in Linux, with an example.
Table of Contents
Why do We Need to Verify the Integrity and Authenticity of a Linux ISO Image?
It is important to verify the integrity and authenticity of an ISO image to ensure that the downloaded file is a true copy of the original and has not been tampered with.
Integrity Check: This confirms that the ISO image has been downloaded properly and is an exact copy of the file on the download servers. An error during download could result in a corrupted file, leading to issues during installation.
Authenticity Check: This verifies that the ISO image has been signed by the respective distribution provider (E.g. Linux Mint) and is not a modified or malicious copy.
Verifying the ISO image protects your system from potential issues caused by corrupted or malicious files.
Verify Integrity of Linux ISO images
1. Download the ISO image:
First, download the ISO image file of your desired Linux distribution from the official website. For the purpose of this guide, I will be using the latest openSUSE Leap ISO downloaded from the official site.
2. Download the checksum file:
Along with the ISO image, you'll also need to download the corresponding checksum file (usually a .sha256 or .md5 file). This file contains the cryptographic hash values for the ISO image.
3. Calculate the checksum:
Once you have both the ISO image and the checksum file, you can use a utility like sha256sum or md5sum to calculate the hash value of the downloaded ISO image.
Example:
$ sha256sum openSUSE-Leap-15.6-DVD-x86_64-Media.iso ac1fbaf0071bdb71b8222fa1f40d6dd013e5699bb55c5636dce85beb0818985d openSUSE-Leap-15.6-DVD-x86_64-Media.iso
4. Compare the checksums:
Compare the calculated hash value with the one provided in the checksum file you downloaded. If the values match, it means the ISO image is intact and hasn't been corrupted or modified during the download process.
Example:
Open the checksum file (e.g., openSUSE-Leap-15.6-DVD-x86_64-Media.iso.sha256)
$ cat openSUSE-Leap-15.6-DVD-x86_64-Media.iso.sha256 ac1fbaf0071bdb71b8222fa1f40d6dd013e5699bb55c5636dce85beb0818985d openSUSE-Leap-15.6-DVD-x86_64-Media.iso
In this example, the calculated hash value (ac1fbaf0071bdb71b8222fa1f40d6dd013e5699bb55c5636dce85beb0818985d) matches the one listed in the .sha256 file, indicating that the downloaded openSUSE Leap 15.6 ISO image is authentic and hasn't been tampered with.
If the hash values don't match, it means the ISO image has been corrupted or modified, and you should download it again from the official source.
Some Linux distributions also provide GPG (GNU Privacy Guard) signatures for their ISO images. In such cases, you can use the gpg command to verify the digital signature, ensuring the ISO image was indeed released by the official distribution maintainers.
Compare Checksums using sha256sum Command
Manually comparing checksums can be tedious and error-prone, especially when dealing with long hash values. Fortunately, there's a more convenient way to automate the verification process using a single command.
Most Linux distributions provide a convenient option to verify the ISO image against the checksum file automatically. Here's how you can do it:
1. Download the ISO image and the checksum file:
Download the ISO image and the corresponding checksum file (e.g., SHA256SUMS or MD5SUMS) from the official website.
2. Use the -c option with the checksum utility:
The -c option instructs the checksum utility (sha256sum, md5sum, etc.) to read the checksums from a file and verify the integrity of the corresponding files.
Example:
$ sha256sum -c openSUSE-Leap-15.6-DVD-x86_64-Media.iso.sha256 openSUSE-Leap-15.6-DVD-x86_64-Media.iso: OK
In this example, the sha256sum command reads the checksums from the openSUSE-Leap-15.6-DVD-x86_64-Media.iso.sha256 file and compares them against the actual ISO image file (openSUSE-Leap-15.6-DVD-x86_64-Media.iso). If the checksums match, it will output OK, indicating that the ISO image is authentic and hasn't been tampered with.
If the checksums don't match, you'll see an error message like this:
$ sha256sum -c openSUSE-Leap-15.6-DVD-x86_64-Media.iso.sha256 openSUSE-Leap-15.6-DVD-x86_64-Media.iso: FAILED sha256sum: WARNING: 1 computed checksum did NOT match
Here's another example.
Linux Mint team provides a sha256sum.txt file along with the ISO file. You can verify the authenticity of the ISO file using the sha256sum.txt file like below:
$ sha256sum -c sha256sum.txt linuxmint-22-cinnamon-64bit-beta.iso: OK
This command will check the SHA-256 checksum of the ISO file against the value specified in the sha256sum.txt file.
If the checksums match, it will display "OK". It means that the ISO file is authentic and has not been tampered with.
This automated approach saves you from manually comparing the checksums and reduces the chances of human error.
Some key points to remember:
- Make sure you're in the same directory as the ISO image and the checksum file when running the command.
- The checksum file should have the correct naming convention (e.g.,
SHA256SUMSfor SHA-256 checksums,MD5SUMSfor MD5 checksums). - If the checksums don't match, you should download the ISO image again from the official source.
By using the -c option with the checksum utility, you can easily and reliably verify the integrity of downloaded ISO images, ensuring a secure and trustworthy installation process.
Verify Authenticity of sha256sum.txt File
As I stated already, a sha256sum.txt file contains the checksums that are used to verify the integrity of a Linux ISO image. If this file were to be tampered with, an attacker could distribute a modified ISO image that appears to be legitimate but actually contains malicious code.
By verifying the authenticity of the sha256sum.txt file, you can be confident that the checksums it contains are genuine and have not been altered. This gives you the assurance that the ISO image you are downloading is the one that was actually released by official team and has not been tampered with.
To verify the authenticity of sha256sum.txt, you need to check the signature of sha256sum.txt.gpg. This process ensures that the sha256sum.txt file, which contains the checksums used to verify the integrity of the ISO image, has not been tampered with.
For the purpose of this guide, I will be using the latest Linux Mint 22 ISO.
1. Import the Linux Mint signing key:
You need to first import the Linux Mint signing key to your system. This can be done by using the following command:
gpg --keyserver hkp://keys.openpgp.org:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
You can then verify if the key was properly imported by using the following command:
gpg --list-key --with-fingerprint A25BAE09
The output should contain 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09.
2. Verify the authenticity of sha256sum.txt:
Once the key is imported, you can verify the authenticity of the sha256sum.txt file using the following command:
gpg --verify sha256sum.txt.gpg sha256sum.txt
The output should confirm that the file signature is "good" and that it was signed with the correct key (27DEB15644C6B3CF3BD7D291300F846BA25BAE09).
You may receive a warning that the Linux Mint signature is not trusted by your computer. This is normal and expected.
Verify ISO Images using Linux Mint
If you're using Linux Mint, it has a built-in tool for verifying ISO images. The tool can be accessed by right-clicking the ISO image and selecting "Verify".
Alternatively, the command line tool mint-iso-verify can be used with the ISO file. For example, to verify an ISO file named "linux-mint.iso", one would use the command:
mint-iso-verify linux-mint.iso
Conclusion
Verifying ISO images is VERY IMPORTANT to maintain the integrity and security of the Linux distribution you're about to install. It's a recommended practice to always check the checksums or digital signatures before proceeding with the installation.
