How to verify the integrity and authenticity of Linux Mint ISO File

ISO-Image

Whenever you want to try the new installation of Linux Mint from it’s ISO file, the first thing that you should consider doing is checking the integrity and authenticity of that file. In past, an incident took place where the ISO file of Linux Mint 17.1 was compromised on it’s official website. So, it’s strongly recommended to verify the ISO file before making the installation.

If you have already downloaded the ISO file (in my case, i have downloaded the Linux Mint 18.1) from it’s official website then let’s validate it. For testing, the official website provides you two files – “sha256sum.txt” and “sha256sum.txt.gpg”. You have to download these (go to link https://linuxmint.com/verify.php and select your OS) and save them into the same folder where you have kept the ISO file.

Integrity check :

1. Open the command line terminal (Ctrl+Alt+T) and change the working directory to the directory in which you are having the ISO file, “sha256sum.txt” file and”sha256sum.txt.gpg” file .

cd ISO


2. Generate the sha256sum of the ISO with the following command (see in the picture below).

sha256sum -b *.iso

3. Checkout the content of “sha256sum.txt” file to compare it with the output generated in the step 2 using “cat”command.

cat sha256sum.txt

4. Finally, look out for your OS in the list and compare the output produced in step 3 with step 2. If they match, you’ve successfully verified the integrity of your ISO image.

However, this is only tells that you have downloaded the correct ISO file. What if someone has managed to replace the ISO file on the server with malware. In that case sha256sum test is not enough.

Authenticity check:

1. Open the terminal and change the present working directory to the ISO directory and import the Linux Mint signing key :

gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"

2. Next, verify the authenticity of he sha256sum.txt file with following command :

gpg --verify sha256sum.txt.gpg sha256sum.txt

3. In the output you may get warning. If the Primary key fingerprint  in the output is the same then you have the authentic ISO file.

Leave a Reply

Your email address will not be published. Required fields are marked *