In this tutorial you will learn how to verify the authenticity of downloaded Ubuntu ISO image. The aim is to ensure that the Ubuntu downloaded ISO has not been tempered with, it is not corrupted in someway and is malware free.

In this tutorial you will learn:
  • How to obtain the correct signature key
  • How to import the correct signature key
  • How to verify the content of the checksum file
  • How to verify downloaded Ubuntu ISO image checksum
How to verify downloaded Ubuntu ISO image checksum
How to verify downloaded Ubuntu ISO image checksum

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Installed or upgraded Ubuntu 20.04 Focal Fossa
Software N/A
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

How to verify downloaded Ubuntu ISO image checksum step by step instructions

  1. First step is to download Ubuntu ISO image. Most likely you have already completed this step. In this tutorial we will use and download Ubuntu 20.04 ISO image. Before you proceed to the next step you should have Ubuntu ISO image available. Example:
    $ ls
    focal-desktop-amd64.iso
    
  2. From the same Ubuntu server location you have downloaded the actual ISO image you will also need to download relevant SHA256SUMS checksum and SHA256SUMS.gpg signature files.
    DID YOU KNOW?
    That you can verify the Ubuntu ISO image checksum using either SHA1SUMS or SHA256SUMS or MD5SUM message digests. Any of these verification methods are valid and you should pick the one which best suits your needs. The verification method procedure is the same for all three.
    checksum and signatures
    Available SHA256SUMS checksum and SHA256SUMS.gpg signature files along with the actual Ubuntu ISO image.
    Once ready the content of your directory should at this stage contain the following files:
    $ ls
    focal-desktop-amd64.iso  SHA256SUMS  SHA256SUMS.gpg
    

  3. SUBSCRIBE TO NEWSLETTER
    Subscribe to Linux Career NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


  4. Next, we need to obtain the correct signature key in order to authenticate the content of the SHA1SUMS checksum file. To do so execute the below gpg command:
    $ gpg --verify SHA256SUMS.gpg SHA256SUMS
    gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT
    gpg:                using RSA key D94AA3F0EFE21092
    gpg: Can't check signature: No public key
    
    The above output indicates that the signature key used is D94AA3F0EFE21092 and that our system currently does not have this key available. To import the missing signature key run:
    $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys D94AA3F0EFE21092
    gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    
    Inspect the output of the above import command and check for the public key owner.
  5. With the Ubuntu CD Image Automatic Signing Key imported we are ready to validate the content of the SHA1SUMS checksum file:
    $ gpg --verify SHA256SUMS.gpg SHA256SUMS
    gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT
    gpg:                using RSA key D94AA3F0EFE21092
    gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
    
    The ouput of the above command should produce the Good signature message.
  6. Last step is to verify the digest checksum of the Ubuntu ISO image and compare it with the content of the SHA1SUMS checksum file. To do so execute:
    $ sha256sum -c SHA256SUMS
    focal-desktop-amd64.iso: OK
     
    Alternatively, you can simply generate the checksum first and compare the ouput with the content of the checksum file manually. Both checksum's should match:
    $ sha256sum focal-desktop-amd64.iso 
    8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef  focal-desktop-amd64.iso
    $ cat SHA256SUMS
    8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef *focal-desktop-amd64.iso
    
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.