Monday, 22 February 2016

This Is Very Important - Check Your ISO Image Before Installing Linux

Posted by Gary Newell  |  at  22:44 5 comments

Introduction

On Sunday 21st February a message was posted to the Linux Mint blog stating that the website has been hacked and the intruder managed to post a link to an unofficial ISO version of Linux Mint.

For more information about what has happened visit http://blog.linuxmint.com/?p=2994.

The Linux Mint blog tells you how to check whether you have downloaded a dodgy version of Linux Mint.

Now this post is a little bit like closing the stable door after the horse has bolted because not once in any of my guides have I told you to check the MD5/SHA256 checksums for the downloaded ISO files of any distribution to make sure you have a legitimate copy.

I think many of us have become complacent that the ISO images we are downloading from the websites of Linux distributions are all perfectly ok. This is the kick up the backside we all needed.

In this guide I will show you how to check the MD5/SHA256 checksums of a Linux distribution using Windows and Linux.

Verify The Checksum Of An ISO Using Windows

Windows doesn't come with any built in tools to verify the checksum of an ISO image.

To install one, open up the Windows store (it is the little shopping bag icon in the quick launch bar).





















Search for Hash Express and when the option becomes available click "Install".

Click "Open" to open the application. You can also open the application by searching for it using the windows search bar, using Cortana or by using the Windows 10 menu system.





























From the algorithm drop down choose the appropriate encryption type. MD5 is the option you need to choose if you are using Linux Mint. For other distributions this option may be SHA256.

Click on the "Pick File" button and search for the ISO file for the Linux distribution that you are using.

The checksum will appear in the computed hash box. Compare this value with the values displayed on the website for the distribution you wish to install.

At the time of publishing the Linux Mint website is down but the checksums you are looking for are as follows:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If the checksums do not match, delete the ISO and download the image again. You should refer to the checksums on the Linux Mint website when it becomes available.

Verify The Checksum Of An ISO Using Linux

Validating the checksum using Linux is much easier as the program md5sum is generally always installed.

All you have to do is open a terminal window, navigate to the folder where the ISO is stored and run the following command:

md5sum <isoname>
For example if you have downloaded the 64-bit Cinnamon version of the Linux Mint ISO using Ubuntu you would type the following:

cd ~/Downloads
md5sum  linuxmint-17.3-cinnamon-64bit.iso

The output of the md5sum command should match the version on the website of your chosen distribution.

If the distribution requires SHA authentication use the following command:

sha256sum <isoname>

Where Can You Find The Checksums

Not all of the websites make it easy to find the MD5 checksums and this should really be addressed.

The Linux Mint website is currently down but the checksum is usually displayed next to the file you are downloading.

If you are downloading Ubuntu you can find the checksums by visiting http://releases.ubuntu.com/. This will give you access to each of the folders such as 14.04.3, 15.10 etc.  Within the folder you will see the MD5Sum link or the SHA256 link.

Debian also provides SHA256 authentication as well as a network install.

openSUSE provides SHA256 authentication.

Fedora provides instructions for validating your download.

How Do You Know The Checksum Is Valid

The larger distributions have created gpg keys for their SHA256 checksums and you can use gpg to verify the checksum. This is the most secure way to verify a distribution.

Unfortunately not all distributions have this level of sophistication and to be honest it is quite complex for the average user.

Summary

This guide isn't exhaustive and you should check the documentation on the website for the distribution you are using.

The important thing now is to make sure the file you downloaded is the file you meant to download.

Check that checksum.



About the Author

Gary Newell started the Everyday Linux User blog in 2010 and has written reviews on dozens of different Linux based operating systems. He has also written a number of tutorials.

Get Updates

Subscribe to our e-mail newsletter to receive updates.

Share This Post

Related posts

5 comments:

  1. This wouldn't have helped in this case as the hacker had changed the listed checksums to match the newly minted images. The check is only useful for checking there hasn't been any corruption during download. They can only be used for security if the sums themselves have been signed by someone you trust, these are usually posted to mailing lists and are GPG signed. The usual chain of trust rules apply

    ReplyDelete
    Replies
    1. It is something that distributions need to think about. Debian and Ubuntu have gpg keys for their checksums but it isn't obvious for the average user how to use them and if the person is coming from windows the tools available for verifying gpgs are pretty shoddy

      Delete
  2. In windows, there is another way to check, portable no-install:
    http://portableapps.com/apps/utilities/winmd5sum_portable

    ReplyDelete
  3. While I am a competent and grizzled long time Linux user, I tip my hat off to the people with the distros that "notify" you of a newer version of their OS and allow you to download it from their Software Center or some other application. For my Mum it makes her life easier that Ubuntu lets her know there's a newer version that's available, and that all she has to do (when SHE'S ready to of course!) all she has to do is click the "Upgrade" button and then answer whatever prompts she presented with. For the distros that leave upgrading to the user, well once again, while I'm adept at getting that done? a person leaving the Windows camp might find it a bit intimidating. The more that you can make someone "comfortable" using your OS the more users you'll draw to your cause. That's not to say that everybody wants things handed to them either. So I guess there's a healthy mix for all who step into the wonderful world of Linux!

    ReplyDelete
  4. Thanks I found the post and user followup information to be very useful. Cheers~

    --
    Sam Smith
    Technology Evangelist and Aspiring Chef.
    Large file transfers made easy.
    Innorix DS

    ReplyDelete

Feel free to comment on any of the blog posts. Please try to be constructive.

Offensive messages will be removed as will blatant adverts for misleading products and sites.

Thanks for visiting my blog

    Popular Posts

    Total Pageviews

    Subscribe

    Enter your email address:

    Delivered by FeedBurner

    Popular This Month

    What are other people buying?

    Ubuntu Buy
    openSUSE Buy
    Manjaro Buy
    Zorin Buy
    PCLinuxOS Buy
    gNewSense Buy
    Edubuntu Buy
    Fedora Buy
    Uberstudent Buy
    Linux Lite Buy
    Lubuntu Buy
    Xubuntu Buy

    Followers

    Feedburner Followers

Blogger templates. Proudly Powered by Blogger.


back to top Google