#Verifying an ISO: What, Why, and How. / FAQ

What

A checksum is a small value calculated from a larger block of data. It's used to quickly check if that data has been accidentally altered or corrupted. If the checksum of the data now matches the checksum of the data then, you can be reasonably sure the data hasn't changed. It's a simple integrity check.

Think of it like this simple analogy. You have a shopping list with prices:

Apples: $2
Milk: $3
Bread: $1
Total (Checksum): $6

You tell your friend the list and the total ($6). If your friend writes down:

Apples: $2
Milk: $5 (Oops, a typo!)
Bread: $1
New Total (Checksum): $8

They compare their new total ($8) with your original total ($6). Since they don't match, they know their list isn't right, even if they don't know which item is wrong.

Why

Just like the above example situation, you would want to verify the information you have. This confirms that the file was properly downloaded and that your local file is an exact copy of the file you wanted to download off from the server. Therefore, you may assume that the file wasn't corrupted or tampered.

What situation may call for it? On February of 2016, there were attacks on the Linux Mint website. The hackers modified the Linux Mint ISO, with a backdoor, and managed to hack the website to point to said file. Based on available information, they haven't modified the checksums available in the download page... so if you may have verified the ISO file, you would easily find out that there's something wrong with or during transfer.

How

It's pretty simple. Linux Mint provides relevant instructions regarding this (see attached image). You would need to download the sha256sum.txt and sha256sum.txt.gpg. After downloading the ISO file, cd to its containing directory and run sha256sum -b yourfile.iso. You would need to compare the command output to the unaltered contents of sha256sum.txt. If the sums match, your ISO image was successfully downloaded. If they don’t, download it again.

Authenticity check

If you have followed above message and understood its contents, you would realize the potential flaw with the verification system.

What if someone does it again... and replace the valid checksum with that of their malicious ISO?

That's what the authenticity check is for. Just double checking, it wouldn't hurt. The authenticity test prevents this by verifying that the checksum file itself is the genuine one created and published by the source project, and hasn't been tampered with by anyone else.

You may think of it this way. Imagine the source project has a special wax seal stamp (this is like their secret private key). This stamp is unique to them.

• When they create the official checksum file, they use their special stamp to put their unique wax seal (the digital signature) right onto that checksum file.
• They then give everyone a tool (this is like their public matching key) that can check if a wax seal was made by their specific stamp. This tool can only confirm their stamp; it can't make a seal itself.
• When you download the checksum file with the wax seal, you use your checking tool. If the tool says, "Yes, this seal is genuine and matches the official stamp," then you know for sure that the checksum file could only have come from project developers.

How to perform an authenticity check for Linux Mint?

You would first need to import their GPG keys (checking tool/public matching key)
gpg --keyserver hkp://keys.openpgp.org:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

You may then check if the key is properly imported (see attached image for the proper output)
gpg --list-key --with-fingerprint A25BAE09

You can now verify the authenticity of sha256sum.txt
gpg --verify sha256sum.txt.gpg sha256sum.txt

If things are right as they should be, the output should tell you that the file signature is good.

Do take note that GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.

For other distributions, the purposes of this thread does not cover for their specifics. Please refer to their verification instructions.

Credit goes to the Linux Mint Project for relevant information and media included herein. Thank you.

Note: If you're using torrents, they have their own validation mechanism.

if using the Ventoy flasher, and you didn't wanna bother to check the sha256 on the hard drive after you downloaded the distro iso from the website, you can just copy the iso to the ventoy'd USB stick, and verify it from the ventoy boot screen as shown. (this is a very good idea to do since sometimes the iso may copy incorrectly/imperfectly to usb's flash memory cells due to hardware or user error)

then compare to the hash on the distro's website for a match.

To Verify ISO from WINDOWS environment:

and again, compare the result to the distro's website checksum listings

remember, for check integrity of file = sha256 or sha512, or md5 checksum (most common thing to do)

for security authenticity (less common to bother with, if getting from official site) = gpg , explained way above.