ObjectiveVerify the integrity of ISO downloads using GPG keys.
DistributionsThis will work with any Linux distribution.
Requirements* A working Linux install with root access. * GPG
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionIt's crucial to verify your downloads. Most downloads can be verified with a signed GPG key or a checksum, but few are as important as ISOs. It wasn't that long ago that Linux Mint suffered a major security breach and handed out corrupted installation ISOs.
Verifying a download with its a GPG key is actually very simple, so there's no reason to skip it.
Download An ISOYou need a file to check first. If there's an ISO that you need, grab that. Otherwise, this guide will use a Debian ISO.
Just download it with
$ cd ~/Downloads $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.8.0-amd64-netinst.iso
Get The KeysYou're going to need a key to compare the signature on the ISO to. GPG can handle that. You need to fetch a key from the keyserver belonging to the developers who created the file, in this case, Debian.
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921FGPG takes both the address of the keyserver and the key(s) to download. The key could be identified by either the key ID or a fingerprint that looks something like this;
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092.
Get The ChecksumEvery website is going to place the checksum that should accompany your download in a different place. Some make it easier to find than others.
Like a lot of distributions, Debian places them in the
https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/"repository with their ISOs.
The files aren't always named the same. Debian calls them
SHA256SUMS.sign. Others might call them something slightly different. If you haven't already, download those files.
Check the ChecksumOnce you have the checksum files, you can verify them with GPG. It uses a simple command to check that they match the signatures from the keys that you imported.
$ gpg --verify SHA256SUMS.sign SHA256SUMSA valid signature will report a good signature but also give warnings that GPG can verify the owner. That's alright.
Check The FileYou're finally ready to check the file itself. Use the
sha256sumtool to check it against the SHA256SUMS file that you downloaded and verified.
$ sha256sum -c SHA256SUMS 2>&1 | grep OKYou can leave off everything after the checksum file, but you'll get a log of extra junk that you don't need. You're just looking for your file to come up "OK." If you don't see anything, that means that the signature on the file didn't match the checksum, and it's bad.