Linux: Verify ISO

[last updated: 2025-09-07]
Linux home page
Dell tower home page
-----

At this time this page is mostly for verifying the Linux OS iso file that is downloaded with new versions of linux.

• Explanation:
  Whenever you download something from online, there is a possibility it is corrupt or has been tampered with.
  This procedure verifies the accuracy and authenticity of the iso file you downloaded.
  This is a two-step process: verify the accuracy, and then verify the authenticity (authorship).
  • The author of the file will apply a "secure hash algorithm" (ie. "SHA") to the file,
    and this algorithm will create a hash value that uniquely identifies the totality of the file.
    The hash value is a multi-character string (perhaps 50-75 characters)
    that is published by the program authors along with the program/file that you want to validate.
    This will be a file (usu.) of the form:
        SHA256sum.txt
    This is the file that is used to verify the download's accuracy
  • Further, the authors of the file will apply another algorithm to create an authenticity code. This will be a file (usu.) of the form:
        SHA256sum.txt.gpg
    This file is a "Signed and encrypted" (pgp encryption protocol) version of the sha256sum.txt file.
    This is the file that is used to verify the download's authenticity (ie. authorship)

  -----------------------------------

• The Procedure:
  • This process requires that you have 3 files:
    • the .iso file that you are verifying,
    • the sha...txt checksum file
    • and the sha...txt.gpg authenticity file
    • These 3 files should all be located in the same directory
  • Verify accuracy:
    • open a terminal, and cd to the directory where the files are located.
    • Execute this command:
      $ sha256sum [file or program name]
    • The sha256sum command is bundled with the Linux OS.
      When it's executed as above, it generates a hash value for the downloaded file.
      You can manually compare the generated hash value with that in the ...SHA256.txt file.
      If the generated hash matches the one published in the text file from the program authors,
      then the downloaded file is validated.
  • Verify authenticity:
    • Download/import the signing key:
      Copy & paste this command into the command window and press Enter to run it:
          gpg --keyserver hkp://keys.openpgp.org:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    • Verify the download had no errors by checking the fingerprint:
      Copy & paste this command into the command window and press Enter to run it:
          gpg --list-key --with-fingerprint A25BAE09
      The output of this command should contain:
          27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
    • Verify the authenticity of the iso file:
      Copy & paste this command into the command window and press Enter to run it:
          gpg --verify sha256sum.txt.gpg sha256sum.txt
      The output of this command will say a bunch of stuff, including the important text "good signature"
      and that it was signed with the 27DEB15644C6B3CF3BD7D291300F846BA25BAE09 key.
      It will likely also have a warning "This key is not certified..." This is normal and can be ignored.

  -----------------------------------

• Links/refs:
  • (link to:) Linux Mint - verify ISO, much of which is quoted on this page...
  • (link to:) it's FOSS - verify iso
  • (link to:) Verify the integrity of the ISO

  --------------------------------------

  
  eof