You’ll see a lot of “no such file or directory” messages if you only downloaded a single ISO file, but you should see an “OK” message for the file you downloaded if it matches the checksum. iso file and compare it to the checksum TXT file you downloaded: sha256sum -check sha256sum.txt Lastly, now that we know the checksum was created by the Linux Mint maintainers, run the following command to generate a checksum from the downloaded. In the fourth line of the screenshot below, GPG informs us that this is a “good signature” that claims to be associated with Clement Lefebvre, Linux Mint’s creator.ĭon’t worry that the key isn’t certified with a “trusted signature.” This is because of the way PGP encryption works–you haven’t set up a web of trust by importing keys from trusted people. If the GPG command lets you know that the downloaded sha256sum.txt file has a “good signature”, you can continue. …and run the following command to check the signature of the checksum file: gpg -verify sha256sum.txt So next, change to the folder they were downloaded to… cd ~/Downloads We now have everything we need: The ISO, the checksum file, the checksum’s digital signature file, and the PGP key. Your Linux distro’s website will point you towards the key you need. gpg -keyserver hkp:// -recv-keys 0FF405B2 In this case, Linux Mint’s PGP key is hosted on Ubuntu’s key server, and we must run the following command to get it.
On your Linux desktop, open a terminal window and download the PGP key. Right-click the files and select “Save Link As” to download them. For Linux Mint, two files are provided along with the ISO download on its download mirrors. Download the ISO, and then download the “sha256sum.txt” and “” files to your computer.
We’ll use Linux Mint as an example here, but you may need to search your Linux distribution’s website to find the verification options it offers. You’re still much more secure than the people who don’t bother.
Still, if you’re attempting to verify the PGP signature on a checksum file and then validating your download with that checksum, that’s all you can reasonably do as an end-user downloading a Linux ISO. But if the public key is stored on the same server as the ISO and checksum, as is the case with some distros, then it doesn’t offer as much security. However, if the public key is hosted on a different server–as is the case with Linux Mint–this becomes far less likely (since they’d have to hack two servers instead of just one). The attacker could still replace that public key with their own, they could still trick you into thinking the ISO is legit. Using PGP is much more secure, but not foolproof. After all, if the attacker can replace the ISO file for download they can also replace the checksum. You’ll only need to perform steps 1, 2, and 5, but the process is much more vulnerable. Similarly, some distros don’t sign their checksums with PGP. Some Linux distros may also provide SHA-1 sums, although these are even less common. We’ll primarily discuss SHA-256 sums here, although a similar process will work for MD5 sums. However, SHA-256 sums are now more frequently used by modern Linux distributions, as SHA-256 is more resistant to theoretical attacks. For example, there are several different types of checksums. Traditionally, MD5 sums have been the most popular. The process may differ a bit for different ISOs, but it usually follows that general pattern. This confirms the ISO file hasn’t been tampered with or corrupted.