Verifying Ubuntu ISO images assumes basic knowledge of the command-line, checking SHA256 checksums, and using GnuPG. While MD5 checksums are also provided on the server, MD5 is not considered secure and should only be used to check for accidental corruption of a download; it should not be used together with gpg for verification that your download has not been compromised.

The steps are

  1. Download SHA256SUMS and SHA256SUMS.gpg

  2. Get the key used for the signature
  3. Verify the signature

  4. Check the ISO with sha256sum

After verifying the ISO file, you can [BurningIsoHowto burn it to a CD].

Download sums and signature

Just download the two files from any of the mirrors. Store them in the same directory. For Trusty, the CD image SHA256SUMs can be found at http://releases.ubuntu.com/14.04/ and the Trusty DVDs can be found at http://cdimage.ubuntu.com/releases/14.04/release/. If you're using another version of Ubuntu, change "14.04" in those URLs to your version number (e.g. 12.04 for Precise).

Get the key

Find out what key was used to issue the signature

By running GnuPG to verify the signature we can find out what key is needed: 

$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Wed 11 Nov 2015 20:08:10 GMT using DSA key ID FBB75451
gpg: Can't check signature: public key not found
gpg: Signature made Wed 11 Nov 2015 20:08:10 GMT using RSA key ID EFE21092
gpg: Can't check signature: public key not found

The key IDs are 0xFBB75451 (generated in 2004, deprecated) and 0xEFE21092 (generated in 2012, current).

Obtain the public key from the Ubuntu key server

To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust: 

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451 0xEFE21092
gpg: requesting key FBB75451 from hkp server keyserver.ubuntu.com
gpg: requesting key EFE21092 from hkp server keyserver.ubuntu.com
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" imported
gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 1)

Verify the key fingerprints: 

$ gpg --list-keys --with-fingerprint 0xFBB75451 0xEFE21092
pub   1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

Verify signature

Now when you verify the sums file you'll get a result resembling this: 

$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Wed Nov 11 20:08:10 2015 GMT using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
gpg: Signature made Wed Nov 11 20:08:10 2015 GMT using RSA key ID EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

In this example a "Good signature" validates the integrity of the given file. The warning message indicates your current GnuPG trust database does not have trust information for that signing key, unless you have actually verified and signed one of the public keys belonging to signers of the Ubuntu CD Image signing key. For more information about the OpenPGP Web of Trust see:

Check the ISO

On hard disk

The file SHA256SUMS contains SHA256 hashes of the ISO images. Run sha256sum on the ISO and compare the result with the relevant line in SHA256SUMS. See this link for more information on SHA256SUMS. 

$ sha256sum ubuntu-14.04-server-amd64.iso
946a6077af6f5f95a51f82fdc44051c7aa19f9cfc5f737954845a6050543d7c2 *ubuntu-14.04.1-server-amd64.iso

Or doing it automatically with a one line script. 

$ sha256sum -c <(grep ubuntu-14.04.1-server-amd64.iso SHA256SUMS)
ubuntu-14.04.1-server-amd64.iso: OK

Optional

Check again after burning since growisofs adds extra blank bytes increasing file size from 3048179712 (0xB5AF8800) to 3048210432 (0xB5B00000) bytes 

$ md5sum ubuntu-5.10-dvd-i386.iso
e41c0631f6f2c138a417b59bcb880fce

$ wc -c ubuntu-5.10-dvd-i386.iso
3048179712

$ dd if=/dev/dvdwriter | head -c 3048179712 | md5sum
e41c0631f6f2c138a417b59bcb880fce
$

While booting

You can also check a disc while you are booting from it. This is useful for testing that your target hardware can properly read all of the disc.

Divide the image size in bytes by 512 to get the size in blocks. Boot from the disc, and when the installer has reached the disk partitioning stage, switch to a shell (alt-2) and run the following command, adding the size of the ISO image in blocks as the argument "count". 

$ dd if=/dev/cdroms/cdrom0 count=5953476 | md5sum
e41c0631f6f2c138a417b59bcb880fce

Other Languages:

VerifyIsoHowto (last edited 2017-12-08 19:15:21 by vorlon)