Objective

Verify the integrity of ISO downloads using GPG keys.

Distributions

This will work with any Linux distribution.

Requirements

* A working Linux install with root access. * GPG

Difficulty

Easy

Conventions

  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - requires given linux commands to be executed as a regular non-privileged user

Introduction

It's crucial to verify your downloads. Most downloads can be verified with a signed GPG key or a checksum, but few are as important as ISOs. It wasn't that long ago that Linux Mint suffered a major security breach and handed out corrupted installation ISOs.

Verifying a download with its a GPG key is actually very simple, so there's no reason to skip it.

Download An ISO

You need a file to check first. If there's an ISO that you need, grab that. Otherwise, this guide will use a Debian ISO.

Just download it with wget for simplicity.
$ cd ~/Downloads
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.8.0-amd64-netinst.iso

Get The Keys

You're going to need a key to compare the signature on the ISO to. GPG can handle that. You need to fetch a key from the keyserver belonging to the developers who created the file, in this case, Debian.
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
GPG takes both the address of the keyserver and the key(s) to download. The key could be identified by either the key ID or a fingerprint that looks something like this; 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092.

Get The Checksum

Every website is going to place the checksum that should accompany your download in a different place. Some make it easier to find than others.

Like a lot of distributions, Debian places them in the https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/" repository with their ISOs.

The files aren't always named the same. Debian calls them SHA256SUMS and SHA256SUMS.sign. Others might call them something slightly different. If you haven't already, download those files.

Check the Checksum

Once you have the checksum files, you can verify them with GPG. It uses a simple command to check that they match the signatures from the keys that you imported.
$ gpg --verify SHA256SUMS.sign SHA256SUMS
A valid signature will report a good signature but also give warnings that GPG can verify the owner. That's alright.

Check The File

You're finally ready to check the file itself. Use the sha256sum tool to check it against the SHA256SUMS file that you downloaded and verified.
$ sha256sum -c SHA256SUMS 2>&1 | grep OK
You can leave off everything after the checksum file, but you'll get a log of extra junk that you don't need. You're just looking for your file to come up "OK." If you don't see anything, that means that the signature on the file didn't match the checksum, and it's bad.

Closing Thoughts

Checking the signatures of your files against a checksum can be a pain, but it's not nearly as much of a pain as having a compromised system because you downloaded a pre-hacked ISO, or a file that comes with a complimentary backdoor.
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.

You may also be interested in: