You have probably downloaded a GNU / Linux distribution to install it. Usually many users choose not to verify anything, they just download the ISO image, burn it in a bootable medium and prepare to install their distribution. At best, some verify the sum but not the authenticity of the sum itself. But this could lead to files being corrupted or modified by malicious third parties ...
Remember that not only can it save you from corrupted files, but also that some cybercriminal You have intentionally modified the image to include certain malware or back doors to spy on users. In fact, it is not the first time that one of these attacks has occurred on distro download servers and other programs for these purposes.
What you need to know before
Well, as you know, when you download the distro there are several types of verification files. Is it so the MD5 and the SHA. The only thing that varies in them is the encryption algorithm that has been used in each of them, but both serve the same purpose. You should preferably use the SHA.
The typical files that you can find when downloading the distro, in addition to the ISO image itself, are:
- distro-name-image.iso: is the one that contains the ISO image of the distro itself. It can have very different names. For example, ubuntu-20.04-desktop-amd64.iso. In this case it indicates that it is the Ubuntu 20.04 distro for desktop and for the AMD64 architecture (x86-64 or EM64T, in short, x86 64-bit).
- MD5SUMS: Contains the checksums of the images. In this case MD5 is used.
- MD5SUMS.gpg: in this case it contains the digital signature of verification of the previous file, to verify that it is authentic.
- SHA256SUMS: Contains the checksums of the images. In this case SHA256 is used.
- SHA256SUMS.gpg: in this case it contains the digital signature of verification of the previous file, to verify that it is authentic.
You already know that if you download using the .torrent Verification will not be necessary, since verification is included in the download process with these types of clients.
Now let's put a practical example of how the verification should proceed in a real case. Let's assume that we want to download Ubunut 20.04 and verify its ISO image using SHA256:
- Download the ISO image proper Ubuntu.
- Download verification files. That is, both SHA256SUMS and SHA256SUMS.gpg.
- Now you must execute the following commands from the directory where you have downloaded them (assuming they are in Downloads) to verify:
cd Descargas gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xD94AA3F0EFE21092 sha256sum -c SHA256SUMS
The results thrown these commands shouldn't alert you. The second command would display the signature information with the Ubuntu credentials in this case. If you read a message «There is no indication that the signature belongs to the owner»Or«There is no indication that the signature belongs to the owner" do not panic. It usually happens when it has not been declared as trustworthy. That is why you must be sure that the downloaded key belongs to the entity (in this case of the Ubuntu developers), and therefore the third command that I have put ...
The fourth command should tell you that everything is OK or a «The sum matches»If the ISO image file has not been modified. Otherwise, it should alert you that something is wrong ...