LOGO

Verify Linux ISO Checksum: Ensure File Integrity

March 28, 2016
Topics:FeaturesLinux & macOS TerminalLinux
Verify Linux ISO Checksum: Ensure File Integrity

Verifying the Integrity of Downloaded Linux ISOs

Recent security incidents, such as the compromise of Linux Mint’s website last month, highlight the critical need for verifying the authenticity of downloaded Linux ISO files. A malicious, modified ISO was briefly available for download, containing a backdoor.

Although the issue was swiftly addressed, this event underscores the importance of proactive file verification before execution and installation.

Understanding Checksums and Digital Signatures

Most Linux distributions provide checksums alongside their ISO images. These checksums act as digital fingerprints, allowing users to confirm that the downloaded file hasn’t been altered during transit.

Furthermore, these checksums are frequently digitally signed. This ensures the integrity of the checksum itself, preventing attackers from substituting a compromised checksum with a valid one.

Why Verification is Crucial

Verifying ISO files is especially vital when downloading from sources other than the official distribution website. Third-party mirrors and peer-to-peer networks like BitTorrent present increased risks of file tampering.

The decentralized nature of these platforms makes it easier for malicious actors to distribute compromised files.

How to Verify Your Linux ISO

  • Obtain the Checksum: Download the appropriate checksum file (often SHA256SUMS or similar) from the official Linux distribution’s website.
  • Calculate the Checksum: Use a checksum utility on your operating system to calculate the checksum of the downloaded ISO file.
  • Compare Checksums: Compare the calculated checksum with the checksum provided by the distribution. They must match exactly.
  • Verify the Signature: If a signature is provided, use the distribution’s public key to verify the signature of the checksum file.

By following these steps, you can significantly reduce the risk of installing a compromised operating system and protect your system from potential security threats.

Prioritizing these verification procedures is a fundamental aspect of maintaining a secure computing environment.

Understanding the ISO Verification Process

Verifying an ISO file involves a series of steps designed to ensure its integrity. Before detailing these steps, it’s important to understand the overall procedure involved in this security check.

The Verification Steps

  • First, the Linux ISO file is downloaded from the official website of the Linux distribution, or another trusted source.
  • Next, a checksum file and its corresponding digital signature are obtained from the same distribution’s website. These may be provided as separate TXT files, or combined into a single TXT file.
  • A public PGP key, belonging to the Linux distribution, is then acquired. This key can be found on the distribution’s website or a dedicated key server.
  • The PGP key is utilized to confirm that the digital signature on the checksum file was genuinely created by the key’s owner – the maintainers of the Linux distribution. This validates the checksum’s authenticity.
  • Finally, a checksum is generated from the downloaded ISO file and compared against the checksum value found in the downloaded TXT file. A match confirms the ISO file hasn’t been altered or corrupted during download.

While the specifics may vary depending on the ISO, this general pattern is commonly followed. Different types of checksums exist, with MD5 sums historically being popular.

However, modern Linux distributions increasingly employ SHA-256 sums due to their enhanced resistance to potential attacks. This discussion will primarily focus on SHA-256 sums, though the process remains similar for MD5 sums. Some distributions may also offer SHA-1 sums, though their usage is declining.

It’s also important to note that some distributions do not digitally sign their checksums with PGP. In such cases, only steps 1, 2, and 5 are necessary, but this approach is considerably less secure. An attacker could potentially replace both the ISO file and the checksum simultaneously.

Employing PGP significantly improves security, although it isn’t entirely foolproof. A malicious actor could theoretically substitute the public key with a fraudulent one, deceiving users into believing a compromised ISO is legitimate.

However, if the public key is hosted on a separate server – as is the practice with Linux Mint – this risk is substantially reduced, as it would require compromising two servers instead of one. Conversely, if the public key resides on the same server as the ISO and checksum, the security benefit is diminished.

Nevertheless, verifying the PGP signature of a checksum file and subsequently validating the download with that checksum represents a reasonable level of security for end-users downloading a Linux ISO. This practice offers a significantly higher degree of protection than forgoing verification altogether.

How to Validate a Checksum in a Linux Environment

This guide utilizes Linux Mint as a demonstration; however, users of other distributions may need to consult their specific system’s documentation to locate the available verification tools. For Linux Mint, two accompanying files are provided alongside the ISO download on official mirrors. Download the ISO image, and subsequently obtain the "sha256sum.txt" and "sha256sum.txt.gpg" files to your computer.

To download these files, right-click on them and select "Save Link As."

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-1.jpg

Open a terminal window on your Linux desktop to begin the process of downloading the necessary PGP key. The PGP key for Linux Mint is hosted on Ubuntu’s key server, requiring the execution of the following command.

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0FF405B2

The website for your particular Linux distribution will provide the specific key required for verification.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-2.jpg

All necessary components are now available: the ISO image, the checksum file, the digital signature file for the checksum, and the PGP key. Next, navigate to the directory where these files were downloaded.

cd ~/Downloads

Then, execute the following command to verify the signature of the checksum file.

gpg --verify sha256sum.txt.gpg sha256sum.txt

If the GPG command confirms a "good signature" for the downloaded sha256sum.txt file, you may proceed. As illustrated in the screenshot, GPG indicates a valid signature associated with Clement Lefebvre, the creator of Linux Mint.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-3.jpg

Do not be concerned if the key lacks a "trusted signature" certification. This is a common occurrence due to the nature of PGP encryption and the absence of a pre-established web of trust through key imports.

Having confirmed the checksum's origin from the Linux Mint maintainers, proceed to generate a checksum from the downloaded .iso file and compare it to the contents of the downloaded checksum TXT file.

sha256sum --check sha256sum.txt

If you only downloaded a single ISO file, you may encounter "no such file or directory" messages. However, a matching checksum will result in an "OK" message for the downloaded file.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-4.jpg

Checksum commands can also be applied directly to an .iso file. This will calculate and display the file’s checksum. You can then visually compare this result with the valid checksum listed in the TXT file.

To obtain the SHA-256 sum of an ISO file, use the following command:

sha256sum /path/to/file.iso

Alternatively, if you have an md5sum value, you can calculate the md5sum of a file using:

md5sum /path/to/file.iso

Finally, compare the generated checksum with the corresponding value in the checksum TXT file to verify their consistency.

Verifying Checksums on a Windows System

When obtaining a Linux ISO on a Windows computer, verifying the checksum is still possible, despite the lack of native Windows tools. The open-source Gpg4win suite must be downloaded and installed to accomplish this.

First, locate the signing key file and checksum files provided by your Linux distribution. For demonstration purposes, we will utilize Fedora as an example. Fedora’s website offers both checksum downloads and the signing key, available at https://getfedora.org/static/fedora.gpg.

Following the download of these files, the signing key needs to be installed using the Kleopatra application, which is included with Gpg4win. Initiate Kleopatra and navigate to File > Import Certificates. Then, select the .gpg file that was downloaded.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-5.jpg

Next, determine if the downloaded checksum file has been signed using one of the imported key files. To do this, select File > Decrypt/Verify Files. Choose the downloaded checksum file.

Ensure the "Input file is a detached signature" option is unchecked before clicking "Decrypt/Verify."

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-6.jpg

An error message may appear at this stage, as validating the legitimacy of the Fedora certificates requires further investigation. This behavior is inherent to the design of PGP; secure key exchange often involves in-person verification and building a "web of trust." Such practices are not commonly implemented by most users.

However, you can still review details to confirm the checksum file was indeed signed with one of the keys you imported. This step offers a significant improvement over simply trusting a downloaded ISO without any verification.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-7.jpg

Attempt to select File > Verify Checksum Files to confirm the information within the checksum file corresponds to the downloaded .iso file. However, this method may not function correctly for all distributions; it worked successfully with Linux Mint’s sha256sum.txt file, but not with Fedora’s.

If direct verification fails, a workaround is available. Begin by navigating to Settings > Configure Kleopatra. Select "Crypto Operations," then "File Operations," and configure Kleopatra to utilize the "sha256sum" program, as this is the algorithm used to generate the checksum. For MD5 checksums, select "md5sum" from the list.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-8.jpg

Now, select File > Create Checksum Files and choose your downloaded ISO file. Kleopatra will then generate a checksum from the .iso file and save it to a new file.

Open both the downloaded checksum file and the newly generated file in a text editor, such as Notepad. Visually compare the checksums to ensure they are identical. If they match, the integrity of your downloaded ISO file is confirmed.

how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with-9.jpg

It’s important to note that these verification methods were originally intended to ensure the ISO file downloaded correctly and wasn’t corrupted during transmission, facilitating successful burning and usage. They don’t provide absolute protection against malware, as trust is still placed in the downloaded PGP key.

However, this process significantly enhances assurance compared to using an ISO file without any verification.

Image Credit: Eduardo Quagliato on Flickr

#Linux ISO#checksum#verify ISO#file integrity#download verification#SHA256