How to correctly verify the integrity of an ISO image of your distro

verify ISO image

You have probably downloaded a GNU / Linux distribution to install it. Usually many users choose not to verify anything, they just download the ISO image, burn it in a bootable medium and prepare to install their distribution. At best, some verify the sum but not the authenticity of the sum itself. But this could lead to files being corrupted or modified by malicious third parties ...

Remember that not only can it save you from corrupted files, but also that some cybercriminal You have intentionally modified the image to include certain malware or back doors to spy on users. In fact, it is not the first time that one of these attacks has occurred on distro download servers and other programs for these purposes.

What you need to know before

Well, as you know, when you download the distro there are several types of verification files. Is it so the MD5 and the SHA. The only thing that varies in them is the encryption algorithm that has been used in each of them, but both serve the same purpose. You should preferably use the SHA.

The typical files that you can find when downloading the distro, in addition to the ISO image itself, are:

  • distro-name-image.iso: is the one that contains the ISO image of the distro itself. It can have very different names. For example, ubuntu-20.04-desktop-amd64.iso. In this case it indicates that it is the Ubuntu 20.04 distro for desktop and for the AMD64 architecture (x86-64 or EM64T, in short, x86 64-bit).
  • MD5SUMS: Contains the checksums of the images. In this case MD5 is used.
  • MD5SUMS.gpg: in this case it contains the digital signature of verification of the previous file, to verify that it is authentic.
  • SHA256SUMS: Contains the checksums of the images. In this case SHA256 is used.
  • SHA256SUMS.gpg: in this case it contains the digital signature of verification of the previous file, to verify that it is authentic.

You already know that if you download using the .torrent Verification will not be necessary, since verification is included in the download process with these types of clients.


Now let's put a practical example of how the verification should proceed in a real case. Let's assume that we want to download Ubunut 20.04 and verify its ISO image using SHA256:

The programs you need usually come pre-installed. Otherwise you will need to install the coreutils and gnupg packages
  1. Download the ISO image proper Ubuntu.
  2. Download verification files. That is, both SHA256SUMS and SHA256SUMS.gpg.
  3. Now you must execute the following commands from the directory where you have downloaded them (assuming they are in Downloads) to verify:
cd Descargas
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg --keyid-format long --keyserver hkp:// --recv-keys 0xD94AA3F0EFE21092
sha256sum -c SHA256SUMS 

The results thrown these commands shouldn't alert you. The second command would display the signature information with the Ubuntu credentials in this case. If you read a message «There is no indication that the signature belongs to the owner»Or«There is no indication that the signature belongs to the owner" do not panic. It usually happens when it has not been declared as trustworthy. That is why you must be sure that the downloaded key belongs to the entity (in this case of the Ubuntu developers), and therefore the third command that I have put ...

The fourth command should tell you that everything is OK or a «The sum matches»If the ISO image file has not been modified. Otherwise, it should alert you that something is wrong ...

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.