How to Verify a Download in Ubuntu with SHA256 Hash or GPG Key

You may have often downloaded some open source software, for instance, various Linux distributions ISO. While downloading, you might also notice a link to download checksum file. What is that link for? Actually, Linux distributions distribute checksum files along with source ISO files to verify the integrity of the downloaded file. Using checksum of the file, you can verify that the downloaded file is authentic and has not been tampered. It is particularly useful when you are downloading a file from somewhere else rather than the original site like third-party websites where there is a greater chance of tampering with the file. It is highly recommended to verify the checksum when downloading a file from any third party.

In this article, we will walk through a few steps that will help you to verify any download in Ubuntu operating system. For this article, I am using Ubuntu 18.04 LTS for describing the procedure. Moreover, I have downloaded ubuntu-18.04.2-desktop-amd64.iso and it will be used in this article for the verification process.

There are two methods you can use to verify the integrity of downloaded files. The first method is through SHA256 hashing that is a quick but less secure method. The second one is through gpg keys that is a more secure method of checking file integrity.

Verify Download using SHA256 Hash

In the first method, we will use hashing to verify our download. Hashing is the process of verification that verifies if a downloaded file on your system is identical to the original source file and has not been altered by a third party. The steps of the method are as below:

Step 1: Download SHA256SUMS file

You will need to find SHA256SUMS file from official Ubuntu mirrors. The mirror page includes some extra files along with Ubuntu images. I am using the below mirror to download SHA256SUMS file:

http://releases.ubuntu.com/18.04/

Verify download using SHA256

Once you find the file, click on it to open it. It contains the checksum of the original file provided by Ubuntu.

SHA256SUM

Step 2: Generate SHA256 checksum of the downloaded ISO file

Now open the Terminal by pressing Ctrl+Alt+T key combinations. Then navigate to the directory where you have placed the download file.

$ cd [path-to-file]

Then run the following command in Terminal to generate SHA256 checksum of the downloaded ISO file.

Get sha256 sum of a file

Step 3: Compare the checksum in both files.

Compare the checksum generated by the system with that provided on the Ubuntu’s official mirrors site. If the checksum matches, you have downloaded an authentic file, otherwise the file is corrupted.

Verify Download using gpg keys

This method is more secure than the previous one. Let’s see how it works. The steps of the method are as below:

Step 1: Download SHA256SUMS and SHA256SUMS.gpg

You will need to find both SHA256SUMS and SHA256SUMS.gpg file from any of the Ubuntu mirrors. Once you find these files, open them. Right-click and use save as a page option to save them. Save both files in the same directory.

Using GPG to verify an Ubuntu Download

Step 2: Find the key used to issue the signature

Launch the Terminal and navigate to the directory where you have placed the checksum files.

$ cd [path-to-file]

Then run the following command to verify which key was used to generate the signatures.

$ gpg –verify SHA256SUMS.gpg SHA256SUMS

We can also use this command to verify the signatures. But at this time, there is no public key, so it will return the error message as shown in the below image.

use gpg verify

By looking at the above output, you can see that the key IDs are: 46181433FBB75451 and D94AA3F0EFE21092. We can use these IDs to request them from the Ubuntu server.

Step 3: Get the public key of Ubuntu server

We will use the above key IDs to request public keys from the Ubuntu server. It can be done by running the following command in Terminal. The general syntax of the command is:

$ gpg –keyserver <keyserver-name –recv-keys <publicKey>

Get the public key of Ubuntu server

Now you have received the keys form Ubuntu server.

Step 4: Verify the key fingerprints

Now you will need to verify the key fingerprints. For that, run the following command in Terminal.

$ gpg --list-keys --with-fingerprint <0x-----> <0x------>

Verify the key fingerprints

Step 5: Verify the signature

Now you can run the command to verify the signature. It is the same command that you have used previously to find the keys that were used for issuing the signature.

$ gpg --verify SHA256SUMS.gpg SHA256SUMS

GPG Verify SHA256 sum

Now you can see the above output. It is displaying the Good signature message that validates the integrity of our ISO file. If they did not match, it would be displayed as a BAD signature.

You will also notice the warning sign that is just because you have not countersign the keys and they are not in the list of your trusted sources.

Final Step

Now you will need to generate a sha256 checksum for the downloaded ISO a file. Then match it to the SHA256SUM file that you have downloaded from Ubuntu mirrors. Make sure you have placed downloaded file, SHA256SUMS, and SHA256SUMS.gpg in the same directory.

Run the following command in the Terminal:

$ sha256sum -c SHA256SUMS 2>&1 | grep OK

You will get the output like below. If the output is different, that means your downloaded ISO file is corrupted.

That was all you need to know about verifying download in Ubuntu. Using the above-described verification methods, you can confirm that you have downloaded an authentic ISO file that is not corrupted and tampered during the download.