Objective
Verify the integrity of ISO downloads using GPG keys.
Distributions
This will work with any Linux distribution.
Requirements
* A working Linux install with root access.
* GPG
Difficulty
Easy
Conventions
- # – requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudocommand - $ – requires given linux commands to be executed as a regular non-privileged user
Introduction
It’s crucial to verify your downloads. Most downloads can be verified with a signed GPG key or a checksum, but few are as important as ISOs. It wasn’t that long ago that Linux Mint suffered a major security breach and handed out corrupted installation ISOs.
Verifying a download with its a GPG key is actually very simple, so there’s no reason to skip it.
Download An ISO
You need a file to check first. If there’s an ISO that you need, grab that. Otherwise, this guide will use a Debian ISO.
Just download it with wget for simplicity.
$ cd ~/Downloads $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.8.0-amd64-netinst.iso
Get The Keys
You’re going to need a key to compare the signature on the ISO to. GPG can handle that. You need to fetch a key from the keyserver belonging to the developers who created the file, in this case, Debian.
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
GPG takes both the address of the keyserver and the key(s) to download. The key could be identified by either the key ID or a fingerprint that looks something like this; 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092.
Get The Checksum
Every website is going to place the checksum that should accompany your download in a different place. Some make it easier to find than others.
Like a lot of distributions, Debian places them in the https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/" repository with their ISOs.
The files aren’t always named the same. Debian calls them SHA256SUMS and SHA256SUMS.sign. Others might call them something slightly different.
If you haven’t already, download those files.
Check the Checksum
Once you have the checksum files, you can verify them with GPG. It uses a simple command to check that they match the signatures from the keys that you imported.
$ gpg --verify SHA256SUMS.sign SHA256SUMS
A valid signature will report a good signature but also give warnings that GPG can verify the owner. That’s alright.
Check The File
You’re finally ready to check the file itself. Use the sha256sum tool to check it against the SHA256SUMS file that you downloaded and verified.
$ sha256sum -c SHA256SUMS 2>&1 | grep OK
You can leave off everything after the checksum file, but you’ll get a log of extra junk that you don’t need. You’re just looking for your file to come up “OK.” If you don’t see anything, that means that the signature on the file didn’t match the checksum, and it’s bad.
Closing Thoughts
Checking the signatures of your files against a checksum can be a pain, but it’s not nearly as much of a pain as having a compromised system because you downloaded a pre-hacked ISO, or a file that comes with a complimentary backdoor.
