This Is Very Important – Check Your ISO Image Before Installing Linux


On Sunday 21st February a message was posted to the Linux Mint blog stating that the website has been hacked and the intruder managed to post a link to an unofficial ISO version of Linux Mint.

For more information about what has happened visit

The Linux Mint blog tells you how to check whether you have downloaded a dodgy version of Linux Mint.

Now this post is a little bit like closing the stable door after the horse has bolted because not once in any of my guides have I told you to check the MD5/SHA256 checksums for the downloaded ISO files of any distribution to make sure you have a legitimate copy.

I think many of us have become complacent that the ISO images we are downloading from the websites of Linux distributions are all perfectly ok. This is the kick up the backside we all needed.

In this guide I will show you how to check the MD5/SHA256 checksums of a Linux distribution using Windows and Linux.

Verify The Checksum Of An ISO Using Windows

Windows doesn’t come with any built in tools to verify the checksum of an ISO image.

To install one, open up the Windows store (it is the little shopping bag icon in the quick launch bar).

Search for Hash Express and when the option becomes available click “Install”.

Click “Open” to open the application. You can also open the application by searching for it using the windows search bar, using Cortana or by using the Windows 10 menu system.

From the algorithm drop down choose the appropriate encryption type. MD5 is the option you need to choose if you are using Linux Mint. For other distributions this option may be SHA256.

Click on the “Pick File” button and search for the ISO file for the Linux distribution that you are using.

The checksum will appear in the computed hash box. Compare this value with the values displayed on the website for the distribution you wish to install.

At the time of publishing the Linux Mint website is down but the checksums you are looking for are as follows:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If the checksums do not match, delete the ISO and download the image again. You should refer to the checksums on the Linux Mint website when it becomes available.

Verify The Checksum Of An ISO Using Linux

Validating the checksum using Linux is much easier as the program md5sum is generally always installed.

All you have to do is open a terminal window, navigate to the folder where the ISO is stored and run the following command:

md5sum <isoname>

For example if you have downloaded the 64-bit Cinnamon version of the Linux Mint ISO using Ubuntu you would type the following:

cd ~/Downloads

md5sum  linuxmint-17.3-cinnamon-64bit.iso

The output of the md5sum command should match the version on the website of your chosen distribution.

If the distribution requires SHA authentication use the following command:

sha256sum <isoname>

Where Can You Find The Checksums

Not all of the websites make it easy to find the MD5 checksums and this should really be addressed.

The Linux Mint website is currently down but the checksum is usually displayed next to the file you are downloading.

If you are downloading Ubuntu you can find the checksums by visiting This will give you access to each of the folders such as 14.04.3, 15.10 etc.  Within the folder you will see the MD5Sum link or the SHA256 link.

Debian also provides SHA256 authentication as well as a network install.

openSUSE provides SHA256 authentication.

Fedora provides instructions for validating your download.

How Do You Know The Checksum Is Valid

The larger distributions have created gpg keys for their SHA256 checksums and you can use gpg to verify the checksum. This is the most secure way to verify a distribution.

Unfortunately not all distributions have this level of sophistication and to be honest it is quite complex for the average user.


This guide isn’t exhaustive and you should check the documentation on the website for the distribution you are using.

The important thing now is to make sure the file you downloaded is the file you meant to download.

Check that checksum.



  1. This wouldn't have helped in this case as the hacker had changed the listed checksums to match the newly minted images. The check is only useful for checking there hasn't been any corruption during download. They can only be used for security if the sums themselves have been signed by someone you trust, these are usually posted to mailing lists and are GPG signed. The usual chain of trust rules apply

    • It is something that distributions need to think about. Debian and Ubuntu have gpg keys for their checksums but it isn't obvious for the average user how to use them and if the person is coming from windows the tools available for verifying gpgs are pretty shoddy

  2. While I am a competent and grizzled long time Linux user, I tip my hat off to the people with the distros that "notify" you of a newer version of their OS and allow you to download it from their Software Center or some other application. For my Mum it makes her life easier that Ubuntu lets her know there's a newer version that's available, and that all she has to do (when SHE'S ready to of course!) all she has to do is click the "Upgrade" button and then answer whatever prompts she presented with. For the distros that leave upgrading to the user, well once again, while I'm adept at getting that done? a person leaving the Windows camp might find it a bit intimidating. The more that you can make someone "comfortable" using your OS the more users you'll draw to your cause. That's not to say that everybody wants things handed to them either. So I guess there's a healthy mix for all who step into the wonderful world of Linux!

Leave a Reply