A simple guide to demonstrate the process of verifying ISO files in Ubuntu and other Linux distributions.
Downloading operating system image files or software from the internet can sometimes pose a security risk because malicious actors can corrupt or modify files. To ensure the authenticity and integrity of downloaded files, it is necessary to verify them. In this beginner’s guide, we will walk you through verifying ISO files in Linux.
Table of Contents
What are ISO Files?
ISO files are commonly used for creating bootable media, installing software, and creating backups. An ISO file contains all the original application/disc data in a compressed format, allowing it to be easily downloaded and shared over the Internet.
For example, if you download an Ubuntu desktop, server, or any other Linux operating system, you must have encountered the files with .iso extensions. It is also used for applications or other operating systems such as Windows.
Why Verify ISO Files?
Verifying ISO files is critical to ensure that the downloaded file is authentic and has not been modified. A modified ISO file may contain malware or viruses that can harm your system. Verifying ISO files ensures that the downloaded file is the same as the one created by the developer and has not been tampered with.
For example, a few years back Linux Mint server was hacked and the official ISO files were modified. Since you are downloading it from the official website, you might think that the files are genuine. But they may not.
Hence, it’s important for you to always verify ISO files before using them to install on your Laptop/desktop.
Methods to Verify ISO Files in Linux
There are two commonly used methods to verify ISO files in Linux:
- Using SHA-256 Checksums
- Using GPG Signature
Using SHA-256 Checksums
SHA-256 is a cryptographic hash function that generates a unique hash value for a file. A checksum is a result of applying the SHA-256 algorithm to a file. The checksum is a unique string of characters that can be used to verify the integrity of a file.
To verify an ISO file using SHA-256 checksums, download the SHA-256 checksum from the developer’s website. The SHA-256 checksum file will contain the checksum value of the ISO file. You need to generate the checksum value of the downloaded ISO file and compare it with the checksum value in the SHA-256 checksum file. If the two values match, the downloaded ISO file is authentic and has not been modified.
Using GPG Signature
GPG (GNU Privacy Guard) is a cryptographic software that can be used to sign and verify files. A GPG signature is a digital signature that ensures the authenticity and integrity of a file. The developer signs the ISO file using their private key, and the user verifies the signature using the developer’s public key.
To verify an ISO file using GPG signature, you need to download the GPG signature file from the developer’s website. The GPG signature file will contain the developer’s public key and the signature of the ISO file. You need to import the developer’s public key, download the ISO file and the GPG signature file, and verify the signature of the ISO file using the developer’s public key. If the signature is valid, then the ISO file is authentic and has not been modified.
How to Verify ISO Files in Linux: Examples
Let’s take a look at some examples of the above methods of verifying ISO files using SHA-256 checksums and GPG signatures in Linux.
Verify ISO Files using SHA-256 Checksums
- I have downloaded the Linux Mint 21.1 ISO file from the official website.
- Also, I downloaded the SHA-256 text file containing the checksum for the ISO files as well (see above image).
- Now, open a terminal and go to the directory where the ISO and SHA-256 checksum files are located.
- Generate the SHA-256 checksum value of the ISO file using the
sha256sumcommand in the terminal. For example, to generate the checksum value of the above ISO file namedlinuxmint-21.1-cinnamon-64bit.iso, run the following command:
sha256sum linuxmint-21.1-cinnamon-64bit.iso
- Compare the generated checksum value with the checksum value in the SHA-256 checksum file. If the two values match, then the ISO file is authentic and has not been modified.
- Here’s a side-by-side comparison for the above ISO file.
And you can be assured that the file is genuine and has not been tampered with if the checksum matches. You can use the same command for any other ISO files and checksum for verification.
Now, let’s see how you can verify using gpg key.
Verify ISO Files using GPG Signature
For the above example, I have downloaded the .gpg file alongside the ISO file from the official website.
The next step is to download and import the developer’s public key. You can download the public key from the developer’s website or a keyserver.
I used the below command to download the Linux Mint’s public key for this example. So, for your ISO file of the respective Linux distro file, look around the download page to find out the public key.
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
Note: You can also download the public key .asc file (if available), and use the command gpg --import developer_key_file.asc to import it in your system.
Once this is done, run the below gpg command to verify the file.
gpg --verify sha256sum.txt.gpg sha256sum.txt
If the file is genuine, you should see “Good signature” message as the output of the above command. Also, you can match the last 8bytes of the public key. The “Warning” is a generic message which you can ignore.
Conclusion
Verifying ISO files is an essential step in ensuring the authenticity and integrity of downloaded files. In this beginner’s guide, I covered the methods and steps to verify ISO files using SHA-256 checksums and GPG signatures in Linux. By following these steps, you can download and use ISO files confidently, knowing that they have not been modified and are safe to use.
Remember that even if you download from the official website, you never know whether the ISO file is authentic until you verify. So, use this as a best practice.
