In this tutorial you will learn how to verify the authenticity of downloaded Ubuntu ISO image. The aim is to ensure that the Ubuntu downloaded ISO has not been tempered with, it is not corrupted in someway and is malware free.
In this tutorial you will learn:
- How to obtain the correct signature key
- How to import the correct signature key
- How to verify the content of the checksum file
- How to verify downloaded Ubuntu ISO image checksum
Software Requirements and Conventions Used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Installed or upgraded Ubuntu 20.04 Focal Fossa |
| Software | N/A |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to verify downloaded Ubuntu ISO image checksum step by step instructions
- First step is to download Ubuntu ISO image. Most likely you have already completed this step. In this tutorial we will use and download Ubuntu 20.04 ISO image. Before you proceed to the next step you should have Ubuntu ISO image available. Example:
$ ls focal-desktop-amd64.iso
- From the same Ubuntu server location you have downloaded the actual ISO image you will also need to download relevant
SHA256SUMSchecksum andSHA256SUMS.gpgsignature files.DID YOU KNOW?
That you can verify the Ubuntu ISO image checksum using eitherSHA1SUMSorSHA256SUMSorMD5SUMmessage digests. Any of these verification methods are valid and you should pick the one which best suits your needs. The verification method procedure is the same for all three.
AvailableSHA256SUMSchecksum andSHA256SUMS.gpgsignature files along with the actual Ubuntu ISO image.Once ready the content of your directory should at this stage contain the following files:
$ ls focal-desktop-amd64.iso SHA256SUMS SHA256SUMS.gpg
- Next, we need to obtain the correct signature key in order to authenticate the content of the
SHA1SUMSchecksum file. To do so execute the belowgpgcommand:$ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT gpg: using RSA key D94AA3F0EFE21092 gpg: Can't check signature: No public key
The above output indicates that the signature key used is
D94AA3F0EFE21092and that our system currently does not have this key available. To import the missing signature key run:$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys D94AA3F0EFE21092 gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012)
Inspect the output of the above import command and check for the public key owner.
- With the
Ubuntu CD Image Automatic Signing Keyimported we are ready to validate the content of theSHA1SUMSchecksum file:$ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Mon 09 Mar 2020 18:58:10 AEDT gpg: using RSA key D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012)
The ouput of the above command should produce the
Good signaturemessage. - Last step is to verify the digest checksum of the Ubuntu ISO image and compare it with the content of the
SHA1SUMSchecksum file. To do so execute:$ sha256sum -c SHA256SUMS focal-desktop-amd64.iso: OK
Alternatively, you can simply generate the checksum first and compare the ouput with the content of the checksum file manually. Both checksum’s should match:
$ sha256sum focal-desktop-amd64.iso 8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef focal-desktop-amd64.iso $ cat SHA256SUMS 8807ddb1927e341c97031c20da88368276be4e3601c31846db41e32cb44027ef *focal-desktop-amd64.iso