In this tutorial you will learn how to verify the authenticity of downloaded Ubuntu ISO image. The aim is to ensure that the Ubuntu downloaded ISO has not been tempered with, it is not corrupted in someway and is malware free.
In this tutorial you will learn:
- How to obtain the correct signature key
- How to import the correct signature key
- How to verify the content of the checksum file
- How to verify downloaded Ubuntu ISO image checksum
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Installed or upgraded Ubuntu 20.04 Focal Fossa |
Software | N/A |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to verify downloaded Ubuntu ISO image checksum step by step instructions
- First step is to download Ubuntu ISO image. Most likely you have already completed this step. In this tutorial we will use and download Ubuntu 20.04 ISO image. Before you proceed to the next step you should have Ubuntu ISO image available. Example:
$ ls focal-desktop-amd64.iso
- From the same Ubuntu server location you have downloaded the actual ISO image you will also need to download relevant
SHA256SUMS
checksum andSHA256SUMS.gpg
signature files.DID YOU KNOW?
That you can verify the Ubuntu ISO image checksum using eitherSHA1SUMS
orSHA256SUMS
orMD5SUM
message digests. Any of these verification methods are valid and you should pick the one which best suits your needs. The verification method procedure is the same for all three.Once ready the content of your directory should at this stage contain the following files:
$ ls focal-desktop-amd64.iso SHA256SUMS SHA256SUMS.gpg
- Next, we need to obtain the correct signature key in order to authenticate the content of the
SHA1SUMS
checksum file. To do so execute the belowgpg
command:$ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT gpg: using RSA key D94AA3F0EFE21092 gpg: Can't check signature: No public key
The above output indicates that the signature key used is
D94AA3F0EFE21092
and that our system currently does not have this key available. To import the missing signature key run:$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys D94AA3F0EFE21092 gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012)
" imported gpg: Total number processed: 1 gpg: imported: 1 Inspect the output of the above import command and check for the public key owner.
- With the
Ubuntu CD Image Automatic Signing Key
imported we are ready to validate the content of theSHA1SUMS
checksum file:$ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT gpg: using RSA key D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012)
" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092The ouput of the above command should produce the
Good signature
message. - Last step is to verify the digest checksum of the Ubuntu ISO image and compare it with the content of the
SHA1SUMS
checksum file. To do so execute:$ sha256sum -c SHA256SUMS focal-desktop-amd64.iso: OK
Alternatively, you can simply generate the checksum first and compare the ouput with the content of the checksum file manually. Both checksum’s should match:
$ sha256sum focal-desktop-amd64.iso 8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef focal-desktop-amd64.iso $ cat SHA256SUMS 8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef *focal-desktop-amd64.iso