The steps are
Download MD5SUMS and MD5SUMS.gpg
- Get the key used for the signature
- Verify the signature
Check the ISO with md5sum
After verifying the ISO file, you can [BurningIsoHowto burn it to a CD].
Download MD5SUMS and MD5SUMS.gpg
Just download the two files from any of the mirrors. Store them in the same directory. For Hardy, the CD image MD5s can be found at http://releases.ubuntu.com/8.04/MD5SUMS and the Hardy DVDs can be found at http://cdimage.ubuntu.com/releases/8.04/release/MD5SUMS. If you're using another version of Ubuntu, change "8.04" in those URLs to your version number (e.g. 8.10 for Intrepid Ibex).
Get the key
Find out what key was used to issue the signature
By running GnuPG to verify the signature we can find out what key is needed:
$ gpg --verify MD5SUMS.gpg MD5SUMS gpg: Signature made Thu 12 May 2005 12:41:32 BST using DSA key ID FBB75451 gpg: Can't check signature: public key not found
The key ID is 0xFBB75451.
Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:
$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451 gpg: requesting key FBB75451 from hkp server keyserver.ubuntu.com gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <email@example.com>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 12 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 12 signed: 8 trust: 0-, 0q, 0n, 6m, 6f, 0u gpg: depth: 2 valid: 4 signed: 4 trust: 1-, 0q, 0n, 0m, 3f, 0u gpg: depth: 3 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u gpg: next trustdb check due at 2008-04-14 gpg: Total number processed: 1 gpg: imported: 1 $
Now when you verify the MD5SUMS file you'll get a result resembling this:
$ gpg --verify MD5SUMS.gpg MD5SUMS magnus@die[~/dload].$ gpg --verify MD5SUMS.gpg MD5SUMS gpg: Signature made Thu 12 May 2005 12:41:32 BST using DSA key ID FBB75451 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
In this example a "Good signature" validates the integrity of the MD5SUMS file. The warning message indicates your current GnuPG trust database does not have trust information for that signing key, unless you have actually verified and signed one of the public keys belonging to signers of the Ubuntu CD Image signing key. For more information about the OpenPGP Web of Trust see:
Check the ISO
On hard disk
The file MD5SUM contains MD5 hashes of the ISO images. Run md5sum on the ISO and compare the result with the relevant line in MD5SUM. See this link for more information on MD5SUM.
$ md5sum ubuntu-5.04-dvd-i386.iso 765dc370887735af71bc2cf6fcc9fafd ubuntu-5.04-dvd-i386.iso
Check again after burning since growisofs adds extra blank bytes increasing file size from 3048179712 (0xB5AF8800) to 3048210432 (0xB5B00000) bytes
$ md5sum ubuntu-5.10-dvd-i386.iso e41c0631f6f2c138a417b59bcb880fce $ wc -c ubuntu-5.10-dvd-i386.iso 3048179712 $ dd if=/dev/dvdwriter | head -c 3048179712 | md5sum e41c0631f6f2c138a417b59bcb880fce $
You can also check a disc while you are booting from it. This is useful for testing that your target hardware can properly read all of the disc.
Divide the image size in bytes by 512 to get the size in blocks. Boot from the disc, and when the installer has reached the disk partitioning stage, switch to a shell (alt-2) and run the following command, adding the size of the ISO image in blocks as the argument "count".
$ dd if=/dev/cdroms/cdrom0 count=5953476 | md5sum e41c0631f6f2c138a417b59bcb880fce
Spanish (Español): ComoVerificarIso