Monday, 22 February 2016

This Is Very Important - Check Your ISO Image Before Installing Linux

Posted by Gary Newell  |  at  22:44 5 comments

Introduction

On Sunday 21st February a message was posted to the Linux Mint blog stating that the website has been hacked and the intruder managed to post a link to an unofficial ISO version of Linux Mint.

For more information about what has happened visit http://blog.linuxmint.com/?p=2994.

The Linux Mint blog tells you how to check whether you have downloaded a dodgy version of Linux Mint.

Now this post is a little bit like closing the stable door after the horse has bolted because not once in any of my guides have I told you to check the MD5/SHA256 checksums for the downloaded ISO files of any distribution to make sure you have a legitimate copy.

I think many of us have become complacent that the ISO images we are downloading from the websites of Linux distributions are all perfectly ok. This is the kick up the backside we all needed.

In this guide I will show you how to check the MD5/SHA256 checksums of a Linux distribution using Windows and Linux.

Verify The Checksum Of An ISO Using Windows

Windows doesn't come with any built in tools to verify the checksum of an ISO image.

To install one, open up the Windows store (it is the little shopping bag icon in the quick launch bar).





















Search for Hash Express and when the option becomes available click "Install".

Click "Open" to open the application. You can also open the application by searching for it using the windows search bar, using Cortana or by using the Windows 10 menu system.





























From the algorithm drop down choose the appropriate encryption type. MD5 is the option you need to choose if you are using Linux Mint. For other distributions this option may be SHA256.

Click on the "Pick File" button and search for the ISO file for the Linux distribution that you are using.

The checksum will appear in the computed hash box. Compare this value with the values displayed on the website for the distribution you wish to install.

At the time of publishing the Linux Mint website is down but the checksums you are looking for are as follows:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If the checksums do not match, delete the ISO and download the image again. You should refer to the checksums on the Linux Mint website when it becomes available.

Verify The Checksum Of An ISO Using Linux

Validating the checksum using Linux is much easier as the program md5sum is generally always installed.

All you have to do is open a terminal window, navigate to the folder where the ISO is stored and run the following command:

md5sum <isoname>
For example if you have downloaded the 64-bit Cinnamon version of the Linux Mint ISO using Ubuntu you would type the following:

cd ~/Downloads
md5sum  linuxmint-17.3-cinnamon-64bit.iso

The output of the md5sum command should match the version on the website of your chosen distribution.

If the distribution requires SHA authentication use the following command:

sha256sum <isoname>

Where Can You Find The Checksums

Not all of the websites make it easy to find the MD5 checksums and this should really be addressed.

The Linux Mint website is currently down but the checksum is usually displayed next to the file you are downloading.

If you are downloading Ubuntu you can find the checksums by visiting http://releases.ubuntu.com/. This will give you access to each of the folders such as 14.04.3, 15.10 etc.  Within the folder you will see the MD5Sum link or the SHA256 link.

Debian also provides SHA256 authentication as well as a network install.

openSUSE provides SHA256 authentication.

Fedora provides instructions for validating your download.

How Do You Know The Checksum Is Valid

The larger distributions have created gpg keys for their SHA256 checksums and you can use gpg to verify the checksum. This is the most secure way to verify a distribution.

Unfortunately not all distributions have this level of sophistication and to be honest it is quite complex for the average user.

Summary

This guide isn't exhaustive and you should check the documentation on the website for the distribution you are using.

The important thing now is to make sure the file you downloaded is the file you meant to download.

Check that checksum.



    Popular Posts



back to top