Last month,Â Linux Mintâs website was hacked, and a modified ISO was put up for download that included a backdoor. While the problem was fixed quickly, it demonstrates the importance of checking Linux ISO files you download before running and installing them. Hereâs how.
Linux distributions publish checksums so you can confirm the files you download are what they claim to be, and these are often signed so you can verify the checksums themselves havenât been tampered with. This is particularly useful if you download an ISO from somewhere other than the main siteâlike a third-party mirror, or through BItTorrent, where itâs much easier for people to tamper with files.
How This Process Works
The process of checking an ISO is a bit complex, so before we get into the exact steps, letâs explain exactly what the process entails:
The process may differ a bit for different ISOs, but it usually follows that general pattern. For example,Â there are several different types of checksums.Â Traditionally, MD5 sums have beenÂ the most popular. However, SHA-256 sums are now more frequently used by modern Linux distributions, as SHA-256 is more resistant to theoretical attacks. Weâll primarily discuss SHA-256 sums here, although a similar process will work for MD5 sums. Some Linux distros may also provide SHA-1 sums, although these are even less common.
Similarly, some distros donât sign their checksums with PGP. Youâll only need to perform steps 1, 2, and 5, but the process is much more vulnerable. After all, if the attacker can replace the ISO file for download they can also replace the checksum.
Using PGP is much more secure, but not foolproof. TheÂ attacker could still replaceÂ that public key with their own, they could still trick you into thinking the ISO is legit. However, ifÂ the public key is hosted on a different serverâas is the case with Linux Mintâthis becomes far less likely (since theyâd have to hack two servers instead of just one). But if the public key is stored on the same server as the ISO and checksum, as is the case with some distros, then it doesnât offer as much security.
Still, if youâre attempting to verify the PGP signature on a checksum file and then validating your download with that checksum, thatâs all you can reasonably do as an end-user downloading a Linux ISO. Youâre stillÂ much more secure than the people who donât bother.
How to Verify a Checksum On Linux
Weâll useÂ Linux MintÂ as an example here, but you may need to search your Linux distributionâs website to find the verification options it offers. For Linux Mint, two files are provided along with the ISO download on its download mirrors.Â Download the ISO, and then download the âsha256sum.txtâ and âsha256sum.txt.gpgâ files to your computer. Right-click the files and select âSave Link Asâ to download them.
On your Linux desktop, open a terminal window and download the PGP key. In this case, Linux Mintâs PGP key is hosted on Ubuntuâs key server, and we must run the following command to get it.
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0FF405B2
Your Linux distroâs website will point you towards the key you need.
We now have everything we need: The ISO, the checksum file, the checksumâs digital signature file, and the PGP key. So next,Â changeÂ to the folder they were downloaded toâŚ
âŚand runÂ the following command to check the signature of the checksum file:
gpg --verify sha256sum.txt.gpg sha256sum.txt
If the GPG command lets you know that the downloaded sha256sum.txt file has a âgoodÂ signatureâ, you can continue. In the fourth line of the screenshot below, GPGÂ informs us that this is a âgood signatureâ that claims to be associated with Clement Lefebvre, Linux Mintâs creator.
Donât worry that the keyÂ isnât certified with a âtrusted signature.â This is because of the way PGP encryption worksâyou havenât set up a web of trust by importing keys from trusted people. This error will be very common.
Lastly, now that we know the checksum was created by the Linux Mint maintainers, runÂ the following command to generate aÂ checksum from the downloaded .iso file and compare it to the checksum TXT file you downloaded:
sha256sum --check sha256sum.txt
Youâll see a lot of âno such file or directoryâ messages if you only downloaded a single ISO file, but you should see an âOKâ message for the file you downloaded if it matches the checksum.
You can also run the checksum commands directly on an .iso file. ItâllÂ examine the .iso file and spit out its checksum. You can thenÂ just check it matches the valid checksum by looking at both with your eyes.
For example, to get theÂ SHA-256 sum of an ISO file:
Or, if you have an md5sum value and need to get the md5sum of a file:
Compare the result with the checksum TXT file to see if they match.
How to Verify a ChecksumÂ On Windows
If youâre downloading a Linux ISO from a Windows machine, you can also verify the checksum thereâthoughÂ Windows doesnât have the necessary software built-in. So, youâll need to download and install the open-sourceÂ Gpg4winÂ tool.
Locate your Linux distroâs signing key fileÂ and checksum files.Â Weâll use Fedora as an example here.Â Fedoraâs websiteÂ provides checksum downloads and tells us we canÂ download the Fedora signing key fromÂ https://getfedora.org/static/fedora.gpg.
After you have downloaded these files, youâll need to install the signing key using theÂ Kleopatra program included with Gpg4win. Launch Kleopatra, and click File > Import Certificates. Select the .gpg file you downloaded.
You can now check ifÂ the downloaded checksum file wasÂ signed with one of the key files you imported. To do so, click File > Decrypt/Verify Files. Select the downloaded checksum file. Uncheck the âInput file is a detached signatureâ option and click âDecrypt/Verify.â
Youâre sure to see an error message if you do it in this way, as you havenât gone through the trouble of confirming those Fedora certificates are actually legitimate. Thatâs a more difficult task. This is the way PGP is designed to workâyou meet and exchange keys in person, for example, and piece together a web of trust. Most people donât use it in this way.
However, you can view more details and confirm that the checksum file was signed with one of the keys you imported. ThisÂ is much better than just trusting a downloaded ISO file without checking, anyway.
You should now be able to select File > Verify Checksum Files and confirm the information in the checksum file matches the downloaded .iso file. However, this didnât work for usâmaybe itâs just the way Fedoraâs checksum file is laid out. When we tried this with Linux Mintâs sha256sum.txt file, it did work.
If this doesnât work for your Linux distribution of choice, hereâs a workaround. First, click Settings > Configure Kleopatra. Select âCrypto Operations,â select âFile Operations,â and set Kleopatra to use the âsha256sumâ checksum program, as thatâs what this particularÂ checksum was generated with. If you have an MD5 checksum, select âmd5sumâ in the list here.
Now, click File > Create Checksum Files and select your downloaded ISO file. Kleopatra will generate a checksum from the downloaded .iso file and save it to a new file.
You can open both of these filesâthe downloaded checksum file and the one you just generatedâin a text editor like Notepad. Confirm the checksum is identical in both with your own eyes. If itâs identical, youâve confirmed your downloaded ISO file hasnât been tampered with.
These verification methods werenât originallyÂ intended for protecting against malware. They were designed to confirm that your ISO file downloaded correctly and wasnât corrupted during the download, so you could burn and use it without worrying. Theyâre not a completely foolproof solution, as you do have to trust the PGP key you download. However, this still provides much more assurance than just using an ISO file without checking it at all.
We have 37 guests and no members online
Articles Most Read
Articles by Date