How to verify if Linux ISO’s checksum is not tampered [Tip]

It is important to check the Linux ISO files we download before we run and install them on our computers. Because they may be altered by some hacker to provide them with a back door in our systems security. Here is the method.

Linux provides checksums so we can confirm ISO files we download. These files are usually signed so we can verify checksums have not been tampered. This is particularly more useful and important for you to double check if you have downloaded an ISO from other places than the official site, like a random third-party mirror, or from Torrent providing sites, where anyone can alter or play dirty tricks with sensitive files.isolinux

How This Process Works

Checking an ISO file is a complicated method, so before we indulge ourselves in the steps, let’s make a list of things we will be needing in successfully checking an ISO file.

  1. First, we’ll need the Linux ISO file which we can download from the Linux’s website or from anywhere you like.
  2. Then we’ll be needing a checksum and its digital signature which is provided on the Linux website. It will be a TXT file.
  3. We’ll get the PGP key belonging to Linux distribution. You can also get it from the Linux distribution’s website.pgp_key_new
  4. And then finally we’ll create the checksum of our downloaded ISO file, and verify if it matches the checksum TXT file that we have downloaded before. If both matches that means the ISO file is not tempered with.

 How to Verify a Checksum on Linux

Today we’ll be using Linux Mint as an example. For the Linux Mint, you will be provided with two files with ISO. Just download the ISO and two other files labeled as sha256sum.txt and sha256sum.txt.gpg.linuxmintlogo

On the Linux open the terminal window and download the PGP key using command

      gpg –keyserver hkp://keyserver.ubuntu.com –recv-keys 0FF405B2

Now we’ve everything we want:

  • The ISO
  • he checksum file
  • the checksum’s digital signature file
  • and the PGP key

Next, change the folder these were downloaded to Downloads by cd command

                                            cd ~/Downloads

Then run following command which will check signature of our checksum file:

                        gpg –verify sha256sum.txt.gpg sha256sum.txt

If this command verifies that the downloaded sha256sum.txt file has good signature, then we can continue. In one of the lines in terminal the GPG command will result in phrase good signature then we are good to go…

Then finally, after we know that checksum file is created by the Linux Mint distributers, we will run following command to create checksum for our downloaded .iso file and then compare it to the checksum TXT file we separatly downloaded:

                                    sha256sum –check sha256sum.txt

If you follow the steps right and ISO file is not tempered with you must come up with an OK if it matches the checksum TXT file you downloaded. If it does not matches that means someone has tempered with the ISO file.

Follow the above steps to ensure your ISO file is genuine and is not tempered with. And to ensure your privacy and avoiding any loss. Hope you guys find it helpful.

Related Posts