How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

Verifying the checksum of files you download from the internet is a good habit to get into if you’re serious about your Linux desktop’s security.

When you download a Linux ISO file, you may have noticed a checksum near the download link. The checksum is a long list of numbers and letters that don't actually mean anything. The purpose of this checksum is to help you confirm that the file you downloaded is exactly the file you expected, that it hasn't been corrupted by an incomplete download or someone tampering with the file before it gets to you.

There are several ways to verify a file's integrity on Linux. Have a look at the following programs and see which one appeals to you.

1. Hashbrown

Many of the most well-established and widely used Linux distributions use the GNOME desktop interface by default. This includes Ubuntu and Fedora. So let's begin with a simple app made for GNOME that requires perhaps the least technical knowledge.

When you first launch Hashbrown, the app tells you what it does and provides you with only one option, to open a file. Once you open a file, you get a view of MD5, SHA-1, SHA-256, and SHA-512 hashes all in one place.

If the numbers match the checksum you were provided with, then you're done. Close the app and be on your way. If you aren't sure, click on the Tools tab and have the app check for you.

Don't know what those different hashing algorithms are? Click the settings cog in the header bar. There you will find an option to view an explanation on Wikipedia. This perhaps isn't the best introduction if you have no idea what hashes are, but at least you have a place to start.

Download: Hashbrown

2. Checksumo

Checksumo is another app designed for the GNOME desktop. It isn't necessarily any more complicated than Hashbrown, but it does take a different approach that is less immediately intuitive.

Checksumo's window presents three primary functions. First, you will need to open the designated file, such as an ISO image. Then you need to input a hash value. This is the character string a webpage or checksum file provides. When you enter this value, Checksumo will determine for itself whether the hash is MD5, SHA-256, or some other algorithm.

Then hit the Verify button. Checksumo will check the integrity of your file and let you know if the value doesn't match. If it does match, you're good to go.

Download: Checksumo

3. GtkHash

With GtkHash, you can open a file and verify it right away to see its hash values, or you can paste in a hash value to have the app check for a match for you.

But wait, there's more! You can feed GtkHash a list of files to check and have it verify them all at once. So if you're a distro hopper who likes to download Linux distributions in bulk, this app can help you make speedier work of verifying that all of them are safe. GtkHash is the most powerful and mature option on this list, with plugins that can integrate with various file managers.

GtkHash is a more old-school, desktop-agnostic GTK app. This makes it a good fit for more traditional GTK-based environments such as Cinnamon, MATE, and Xfce.

Thanks to KDE Plasma's top-notch GTK integration, GtkHash won't stand out much there either, though Plasma fans may want to consider the next option first. On that desktop, turns out you don't need to install anything extra to view checksums from your file manager.

Download: GtkHash

4. KDE Dolphin

In KDE Plasma, you don't need to download a full-blown dedicated app to verify a file's integrity, and you don't need to open a terminal either. All you need to do is right-click the file in question and open the Properties window. Then click over to the Checksums tab. Everything you need is likely there.

Dolphin lets you generate hashes and compare them manually, or you can paste a checksum to verify your file against. It supports a number of hashing algorithms.

You don't need to use Plasma to enjoy Dolphin, as you can download the file manager on other desktop environments. That's a bit much if you only want to verify checksums, but Dolphin is simply one of the most powerful file managers for Linux. That means there are plenty of reasons to give it some thought.

5. Hasher

If you use elementary OS, the aforementioned apps will work just fine, but you may want something designed specifically for your desktop. Look no further than Hasher. This app is available from AppCenter, and in contrast to many elementary apps, it's as feature-rich as the other options on this list.

Hasher has three primary functions: Hashes, Compare, and Verify. Hashes simply displays the hash value of a particular file, using your choice of algorithm. Compare lets you compare two files directly, such as an ISO file you downloaded from a server and one you downloaded as a torrent. Verify lets you compare a file to a hash value that you copy and paste from elsewhere.

You don't need elementary OS to use Hasher. AppCenter apps are available for any Linux desktop in the universal Flatpak format, just like apps from Flathub. Hasher's design, which lacks a header bar, can also make the app feel somewhat platform-neutral.

Download: Hasher

6. The Linux Command Line

Many people find the command line intimidating, but once you grow comfortable with it, it's hard to beat. The command line is fast, and it's available regardless of which version of Linux you use. There are various commands you could learn, but to keep things simple, let's focus on two: md5sum and sha256sum.

These two programs are functionally identical and differ in the hashing algorithm that they use, with both likely coming pre-installed on your distro. Their structure is simple. Simply type the command followed by the path to the file you wish to generate a hash for. For example:

You can type the path to your file manually, but many Linux terminals allow you to drag and drop the file from the file manager directly into the terminal window. If you want to explore more features, you can do so by reading the man page for either program, such as by typing:

Do You Feel Safer on Linux?

Checking a file's integrity is a good habit to get into, especially if you download Linux distros from locations other than their official websites. But keep in mind that verifying the checksum doesn't guarantee that a file is safe.

For example, someone who hacks a website and changes the ISO file to a compromised version can easily update the checksum file or value to match that of the compromised file. Simply consider this another tool in your belt as you work to keep your digital life secure.

How to verify a linux iso’s checksum and confirm it hasn’t been tampered withPhoto credit: Yuri Samoilov

Last month, the Linux Mint servers were infiltrated and its standard ISO image was swapped out with a compromised version. While the Linux Mint team was quick to offer fixes and a detection tool, the incident showcased the danger of blindly trusting ISO images without verifying their integrity. But how do you verify the integrity of a Linux ISO image?

Verify the checksum

One method is to verify an ISO’s checksum. A checksum, or hash value, is used to verify the integrity of a given file after it has been stored, compressed, or moved. If you have already downloaded a Linux ISO, the simplest way to verify its checksum is to use the cksum command, which is found on most Unix-like operating systems. The syntax looks like this: cksum [file]. In usage the command looks like this:

The number — 4038471506 — is the checksum value, while “150” is the file size. Now that you have your checksum value, you’ll want to compare it with the checksum file that’s either been included with your downloaded ISO or available in the directory you downloaded it from. If the numbers do not match, the ISO has either been corrupted or tampered with and you should not install it.

Verify the MD5sum

Sometimes a corrupted ISO can still return the correct checksum. Because of this, you’ll also want to test your ISO with MD5sum, which is a special utility designed to use the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash to verify the integrity of a given file. Let’s say you’re downloading Linux Mint 17.3 “Rosa” from this page.

How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

The MD5 value is what you’re going to compare your computed MD5sum to. Now, here’s how to get that MD5sum:

  1. Open the terminal and find the directory where your ISO lives.
  2. Now run the following command:

Verify the GPG signature of your ISO

The final step in verifying the integrity of your Linux ISO file is to check that it has been signed using a GPG key. ZDNet writes:

There are actually two ways this can be done, because there are two files involved in the download and verification of the ISO image. The obvious way is to sign the image itself (Manjaro Linux does it this way). The alternative is to sign the checksum file. The theory here is that if the checksum of the ISO image matches what it says in the checksum file, and you know that the checksum file hasn’t been modified, then you also know that the ISO file hasn’t been modified.

First things first: You’ll need to download the signed file and the GPG public key from your Linux distro’s directory, if you haven’t done this already. Then provide the gpgv utility with the keyfile with your public key, the signature file, and your ISO. ZDNet gives an example:

If it says “Good signature” as it does above, you’re in the clear. But for the truly cautious (you’re not paranoid if they’re out to get you, as they say), there’s an “improved version of the GPG utilities, called gpg2.” Not all Linux distros include gpg2 — Linux Mint 17.3, for instance, does not — but for those that do, the process is the same as that for the gpgv utility.

You can also use the gpg –verify command in lieu of the gpgv utility above. This command goes a step beyond gpgv by verifying the validity of the signature itself. While this might seem like a good additional step (and sometimes can be), there is often no point of reference for the utility to pit against the validity of the signature. Running this can return warnings that indicate nothing about the validity of your ISO, and simply tell you that the signature has not been vouched for by your distro’s development team.

Where do I find my distro’s public key?

Some distros like Linux Mint include the key in their base distribution, while others do not. In this case, you’ll need to locate a trusted keyserver for your distro. ZDNet points to the Debian Public Key Server document, which includes information on how to the ISO verification process. Other distros have similar resources available that you can find once you do a bit of digging.

The bottom line

Other tests exist, such as Debian’s “secure apt” utility, but at a certain point you have to determine when you’re ready to trust the authenticity of your ISO file. By taking the time to run a test in the first place you’re already ahead of the game, and have escaped the realm of blind trust. And if the attack on Linux Mint showed us nothing else, it’s that blind trust can be dangerous.

You just downloaded an ISO image of your favorite Linux distribution from the official site or a third party site, now what? Create bootable medium and start installing the OS? No, wait. Before start using it, It is highly recommended to verify that the downloaded ISO in your local system is the exact copy of the ISO present in the download mirrors. Because, Linux Mint’s website is hacked few years ago and the hackers made a modified Linux Mint ISO, with a backdoor in it. So, It is important to check the authenticity and integrity of your Linux ISO images. If you don’t know how to verify ISO images in Linux, this brief guide will help. Read on!

Verify ISO Images In Linux

We can verify ISO images using the Checksum values. Checksum is a sequence of letters and numbers used to check data for errors and verify the authenticity and integrity of the downloaded files. There are different types of checksums, such as SHA-0, SHA-1, SHA-2 (224, 256, 384, 512) and MD5. MD5 sums have been the most popular, but nowadays SHA-256 sums are mostly used by modern Linux distros.

We are going to use two tools namely “gpg” and “sha256” to verify authenticity and integrity of the ISO images.

Download checksums and signatures

For the purpose of this guide, I am going to use Ubuntu 18.04 LTS server ISO image. However, the steps given below should work on other Linux distributions as well.

Near the top of the Ubuntu download page, you will see a few extra files (checksums and signatures) as shown in the following picture.

How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

Ubuntu 18.04 checksum and signature

Here, the SHA256SUMS file contains checksums for all the available images and the SHA256SUMS.gpg file is the GnuPG signature for that file. We use this signature file to verify the checksum file in subsequent steps.

Download the Ubuntu ISO images and these two files and put them all in a directory, for example ISO.

As you see in the above output, I have downloaded Ubuntu 18.04.2 LTS server image along with checksum and signature values.

Download valid signature key

Now, download the correct signature key using command:

Verify SHA-256 checksum

Next verify the checksum file using the signature with command:

If you see “Good signature” in the output,the checksum file is created by Ubuntu developer and signed by the owner of the key file.

Check the downloaded ISO file

Next, let us go ahead and check the downloaded ISO file matches the checksum. To do so, simply run:

If the checksum values are matched, you will see the “OK” message. Meaning – the downloaded file is legitimate and hasn’t altered or tampered.

If you don’t get any output or different than above output, the ISO file has been modified or incorrectly downloaded. You must re-download the file again from a good source.

Some Linux distributions have included the checksum value in the download page itself. For example, Pop!_os developers have provided the SHA-256 checksum values for all ISO images in the download page itself, so you can quickly verify the ISO images.

How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

Pop os SHA256 sum value in download page

After downloading the the ISO image, verify it using command:

Pop os SHA256 sum value

Here, the random string starting with “680elaa. “ is the SHA-256 checksum value. Compare this value with the SHA-256 sum value provided on the downloads page. If both values are same, you’re good to go! The downloaded ISO file is legitimate and it hasn’t changed or modified from its original state.

This is how we can verify the authenticity and integrity of an ISO file in Linux. Whether you download ISOs from official or third-party sources, it is always recommended to do a quick verification before using them. Hope this was useful.

Linux Mint 18 (Sarah) was released a few days ago and I wanted to try the new version. However, I recalled that Mint’s web site had been hacked in February and a compromised version of the ISO file for Linux Mint 17.3 Cinnamon made available for downloading. Now, while this issue was quickly fixed, and greater security measures put in place, I thought it only reasonable to check the validity of the Mint 18 ISO file. However, the instructions provided on Mint’s web site weren’t entirely clear – nor accurate.

In particular, the very first command that was provided (gpg –recv-key A25BAE09) produced an error message that “no keyserver known (use option –keyserver)”. Some searching on Google identified a command – with a valid keyserver – that did work. A note on this, and some further clarification of the various steps involved to validate the downloaded ISO file, might be of value for some end users.

(1) The first thing to do is to download the ISO file. For this, I like to use the wget command (See: W-getting Ubuntu distros). Also, being located in the Great White North, my chosen source in the mirror supported by the University of Waterloo’s Computer Science Club. My distro of choice is the Mate edition of Linux Mint 18 (linuxmint-18-mate-64bit.iso). The download command is thus:

(2) Two additional files are needed, sha256sum.txt and sha256sum.txt.gpg, both of which are in the same folder as the above-noted ISO file. These files can be obtained using wget commands similar to the above.

(3) Now, it’s time to get the security key using the (valid!) command:

This creates the hidden folder .gnupg inside the Home folder, downloads and stores the PGP security key for the Mint 18 distro from the keyserver at Several lines of text will be displayed as a result of the above command; the most noteworthy being:

(4) Now we need to verify that this downloaded security key can be trusted. We use the command:

The “Key fingerprint” will be listed as 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 which can be matched exactly to the value shown on Mint’s web site (

(5) The file sha256sum.txt contains the hash signatures for all of the Mint 18 distros – the Cinnamon and Mate editions, for both 32-bit and 64-bit computers. The next step is to ensure that this file is trustworthy and hence the signatures themselves are valid. Issue the command:

Once again, several of lines of output are generated. In this case, the important line to note is:

(6) Finally, we are ready to verify our downloaded distro. To do so, we use the command:

After a few seconds, the command responds with the validation string:

This final command is somewhat cryptic so a few words of explanation are in order. To check just the single ISO file, we could use the command:

How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

Illustration by Jørgen Stamp CC BY 2.5 Denmark


“Fixity, in the preservation sense, means the assurance that a digital file has remained unchanged, i.e. fixed.” (Bailey, 2014). Fixity doesn’t just apply to files, but to any digital object that has a series of bits inside it where that ‘bitstream’ needs to be kept intact with the knowledge that it hasn’t changed. Fixity could be applied to images or video inside an audiovisual object, to individual files within a zip, to metadata inside an XML structure, to records in a database, or to objects in an object store. However, files are currently the most common way of storing digital materials and fixity of files can established and monitored through the use of checksums.


A checksum on a file is a ‘digital fingerprint’ whereby even the smallest change to the file will cause the checksum to change completely. Checksums are typically created using cryptographic techniques and can be generated using a range of readily available and open source tools. It is important to note that whilst checksums can be used to detect if the contents of a file have changed, they do not tell you where in the file that the change has occurred.

Checksums have three main uses:

    1. To know that a file has been correctly received from a content owner or source and then transferred successfully to preservation storage
    2. To know that file fixity has been maintained when that file is being stored.
    3. To be given to users of the file in the future so they know that the file has been correctly retrieved from storage and delivered to them.

    This allows a ‘chain of custody’ to be established between those who produce or supply the digital materials, those responsible for its ongoing storage, and those who need to use the digital material that has been stored. In the OAIS reference model ( ISO, 2012 ) these are the producers, the OAIS itself is the repository, and the consumers.

    Application in digital preservation

    A short video explaining the basics of Integrity (Fixity) Checking in Digital Preservation

    If an organisation has multiple copies of their files, for example as recommended in the Storage section, then checksums can be used to monitor the fixity of each copy of a file and if one of the copies has changed then one of the other copies can be used to create a known good replacement. The approach is to compute a new checksum for each copy of a file on a regular basis and compare this with the reference value that is known to be correct. If a deviation is found then the file is known to have been corrupted in some way and will need replacing with a new good copy. This process is known as ‘data scrubbing’.

    Checksums are ideal for detecting if unwanted changes to digital materials have taken place. However, sometimes the digital materials will be changed deliberately, for example if a file format is migrated. This causes the checksum to change. This requires new checksums to be established after the migration which become the way of checking data integrity of the new file going forward.

    Files should be checked against their checksums on a regular basis. How often to perform checks depends on many factors including the type of storage, how well it is maintained, and how often it is being used. As a general guideline, checking data tapes might be done annually and checking hard drive based systems might be done every six months. More frequent checks allow problems to be detected and fixed sooner, but at the expense of more load on the storage system and more processing resources.

    Checksums can be stored in a variety of ways, for example within a PREMIS record, in a database, or within a ‘manifest’ that accompanies the files in a storage system.

    Tool support is good for checksum generation and use. As they are relatively simple functions, checksums are integrated into many other digital preservation tools. For example, generating checksums as part of the ingest process and adding this fixity information to the Archive Information Packages generated, or allowing manifests of checksums to be generated for multiple files and for the manifest and files to be bundled together for easy transport or storage. In addition md5sum and md5deep provide simple command line tools that operate across platforms to generate checksums on individual files or directories.

    There are several different checksum algorithms, e.g. MD5 and SHA-256 that can be used to generate checksums of increasing strength. The ‘stronger’ the algorithm then the harder it is to deliberately change a file in a way that goes undetected. This can be important for applications where there is a need to demonstrate resistance to malicious corruption or alteration of digital materials, for example where evidential weight and legal admissibility is important. However, if checksums are being used to detect accidental loss or damage to files, for example due to a storage failure, then MD5 is sufficient and has the advantage of being well supported in tools and is quick to calculate.

    The Handbook follows the National Digital Stewardship Alliance (NDSA) preservation levels ( NDSA, 2013 ) in recommending four levels at which digital preservation can be supported through file fixity and data integrity techniques. Many of the benefits of fixity checking can only be achieved if there are multiple copies of the digital materials, for example allowing repair if integrity of one of the copies has been lost.

    MD5sums are a simple method of checking the integrity of a downloaded ISO file to see if it is corrupt, but they provide no trusted method for checking the ISO hasn’t been tampered with in some way and you’ve been given a false MD5sum to check it against.

    This is where GPG signatures come in, checking the downloaded ISO against its signature file will verify the ISO hasn’t been tampered with. Even if someone were to hack into a website and upload a modified ISO image, and change the MD5sum being shown so it appeared to check out okay, the ISO would not verify correctly against its corresponding GPG key.

    How to verify a Peppermint ISO image against its GPG signature file

    Once you have downloaded the ISO file, you’ll also need to download its corresponding GPG signature file, links to these can be found next to the ISO download links and at the bottom of this page.

    In this EXAMPLE we’re going you verify the Peppermint 10 64bit ISO image (Peppermint-10-20191210-amd64.iso) against its GPG signature file (Peppermint-10-20191210-amd64.iso.sig) .. if you’re checking another Peppermint version, please adjust the commands accordingly.

    Place both the Peppermint-10-20191210-amd64.iso and the Peppermint-10-20191210-amd64.iso.sig file in the same directory.

    Open a terminal, and ‘cd’ (change directory) into that directory .. so if you had placed both files into your ‘Home’ directory, run:

    First you’ll need to check if you already have our GPG key, so run:

    If it’s not listed, run:

    Which should result in:-

    Next, verify the key by running:

    Which should return:-

    Now you can verify the ISO image against the GPG signature file, by running:

    (remember to change the above file names if you’re checking a different version of Peppermint against its corresponding signature file)

    The output will be similar to:-

    and contain the line:-

    If it contains that line the ISO has been verified as intact and unaltered.

    If it doesn’t contain that line, or instead states “BAD signature”, the ISO image is corrupt and should be discarded.

    You can verify the AECF1D2F key does indeed belong to a Peppermint developer by going to the Peppermint team members page on Launchpad and clicking on Mark-pcnetspec where you should see the key listed under OpenPGP keys.

    A graphical method for verifying the signatures in Linux would be to install the gpa package.

    The GNU Privacy Assistant (GPA) is a graphical user interface for the GNU Privacy Guard (GnuPG). It can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys.

    I’ve downloaded and installed sabayon, but all I can find to verify that iso image is an md5sum that can only be downloaded from the same insecure mirrors.

    • md5 checksums are not cryptographically secure — that should be at least sha256.
    • the mirrors to download that checksum from use only insecure protocols (http, ftp, rsync), therefore can not be trusted.
    • I can’t find anything about security issues on Google (at least while I’m running sabayon). Is this distribution designed to pleasure hackers and supported by the NSA? (or am I paranoid?)
    • would it be secure to install sabayon via gentoo-overlay? (or is there a similar but secure gentoo-based distro out there?)

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    1 Answer 1

    The md5sum is for verifying that the ISO is completely and correctly downloaded, not for verifying the source of the uploader.

    However, there often is another file – an asc-or pgp-file – this contain a detached pgp-signature, and can be used to verify the source of the files. The detached signature is often for the md5-file (not the ISO-file itself); but if the md5-file is genuine and it tells you the ISO-file’s checksum is correct, then you have an intact chain which ensure the ISO-file is genuine too.

    It doesn’t really matter if the download-site for all is insecure. If either or all of the files were tampered with, that would be detected by pgp . As long as the author’s secret-key hasn’t been compromised – or you haven’t been mislead to verify the download with a false public-key (a key only pretending to be by the author – then you’ll detect any tampering. Either because the ISO-file’s checksum doesn’t match, because the md5-file can’t be verified, or because gpg fails to correctly process the detached signature with the author’s public-key

    I’ve just downloaded a CD image of Ubuntu. I know the installer has a check CD option, but how can I check that the image is good before burning it to CD?

    5 Answers 5

    First look up the hash of the ISO you download here:

    (or in general find your Ubuntu release here)

    Then check the hash by following this video or these instructions:

    After checking the hash it’s safe to burn the image to CD/DVD.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Ubuntu comes with a program called md5sum that you can use to check the integrity of a downloaded ISO file.

    Manual method..

    Generate a hash of your ISO file like this:

    This will print out the MD5 hash of your ISO. Now open up the Ubuntu Hashes wiki page which lists the MD5 hashes of all the Ubuntu ISOs and compare the hash you got from md5sum with the hash the wiki page says is correct for that ISO. If the hashes match you should have an uncorrupted file.

    Automatic method..

    A more automatic method would be to use the MD5SUMS.txt file (which you can download from your distributions download page at Make sure you save the file in the same directory has your ISO file.

    You will receive an error for every ISO you haven’t downloaded. That’s OK. Most likely you will only have one ISO to check. Here is some sample output:

    In this case we were only testing the 8.10 i386 desktop ISO, so we can ignore all the other warnings.

    Says that our ISO hash matches the correct one, meaning we have a clean file.

    You can use winMD5sum in Windows to check file hashes.

    Open Windows Explorer and locate your CD image. Right click on it and select “Send to..” then click “winMD5sum”.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    WinMD5sum will automatically calculate the hash and display it.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Paste the hash for your release (which you got from Ubuntu Hashes) into the “Compare” box and click “Compare”. A popup dialog should confirm that the hashes match.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with


    If you have cygwin installed you can use md5sum as if you were in Ubuntu. Since I’ve already covered md5sum in the Linux section above, I’ll just give a quick recap here.

    File hashes or checksums are cryptographic strings generated from the file itself, which you can verify on your end to ensure that the file you are downloading hasn’t been tampered with somewhere between us and the mirror, or between the mirror and you.

    Project developers may also find it useful to use checksums to verify that the upload process went smoothly and that the file on our servers after the upload is the same as the file on your computer.

    In the file’s interface, click on the “i” information icon next to the file, and you’ll see two strings labelled SHA1 and MD5.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Once you have downloaded the file, generate the MD5 checksum, or SHA1 checksum, of that file, and compare what you get to what we list on the site. If they don’t match, notify us, then try downloading from a different mirror.

    Via the web

    There are several sites that you can use to generate a hash. Here are some we’ve used before:


    On Windows, we recommend a tool like fHash to generate the hashes from the downloaded file. There are also browser plugins that will calculate the checksums on a file as you download it so that you’re less likely to forget to do it yourself.

    Mac OS X

    On Mac OS X, at the terminal:


    On Linux, at the command line:

    For users, this test will only determine whether or not the file matches what is stored on our master mirror server. If the file was corrupted when the project developer uploaded the file, this will not detect that.

    Again, if you discover that a checksum doesn’t match, please notify us so that we can do something about it as quickly as possible.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    You’ll sometimes see MD5, SHA-1, or SHA-256 hashes displayed alongside downloads during your internet travels, but not really known what they are. These seemingly random strings of text allow you to verify files you download aren’t corrupted or tampered with. You can do this with the commands built into Windows, macOS, and Linux.

    How Hashes Work, and How They’re Used for Data Verification

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Hashes are the products of cryptographic algorithms designed to produce a string of characters. Often these strings have a fixed length, regardless of the size of the input data. Take a look at the above chart and you’ll see that both “Fox” and “The red fox jumps over the blue dog” yield the same length output.

    Now compare the second example in the chart to the third, fourth, and fifth. You’ll see that, despite a very minor change in the input data, the resulting hashes are all very different from one another. Even if someone modifies a very small piece of the input data, the hash will change dramatically.

    MD5, SHA-1, and SHA-256 are all different hash functions. Software creators often take a file download—like a Linux .iso file, or even a Windows .exe file—and run it through a hash function. They then offer an official list of the hashes on their websites.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    That way, you can download the file and then run the hash function to confirm you have the real, original file and that it hasn’t been corrupted during the download process. As we saw above, even a small change to the file will dramatically change the hash.

    These can also be useful if you have a file you got from an unofficial source and you want to confirm that it’s legitimate. Let’s say you have a Linux .ISO file you got from somewhere and you want to confirm it hasn’t been tampered with. You can look up the hash of that specific ISO file online on the Linux distribution’s website. You can then run it through the hash function on your computer and confirm that it matches the hash value you’d expect it to have. This confirms the file you have is the exact same file being offered for download on the Linux distribution’s website, without any modifications.

    Note that “collisions” have been found with the MD5 and SHA-1 functions. These are multiple different files—for example, a safe file and a malicious file—that result in the same MD5 or SHA-1 hash. That’s why you should prefer SHA-256 when possible.

    How to Compare Hash Functions on Any Operating System

    With that in mind, let’s look at how to check the hash of a file you downloaded, and compare it against the one you’re given. Here are methods for Windows, macOS, and Linux. The hashes will always be identical if you’re using the same hashing function on the same file. It doesn’t matter which operating system you use.


    This process is possible without any third-party software on Windows thanks to PowerShell.

    To get started, open a PowerShell window by launching the “Windows PowerShell” shortcut in your Start menu.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Run the following command, replacing “C:\path\to\file.iso” with the path to any file you want to view the hash of:

    It will take some time to generate the hash of the file, depending on the size of the file, the algorithm you’re using, and the speed of the drive the file is on.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    By default, the command will show the SHA-256 hash for a file. However, you can specify the hashing algorithm you want to use if you need an MD5, SHA-1, or other type of hash.

    Run one of the following commands to specify a different hashing algorithm:

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Compare the result of the hash function to the result you expected to see. If it’s the same value, the file hasn’t been corrupted, tampered with, or otherwise altered from the original.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with


    macOS includes commands for viewing different types of hashes. To access them, launch a Terminal window. You’ll find it at Finder > Applications > Utilities > Terminal.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    The md5 command shows the MD5 hash of a file:

    The shasum command shows the SHA-1 hash of a file by default. That means the following commands are identical:

    To show the SHA-256 hash of a file, run the following command:

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with


    On Linux, access a Terminal and run one of the following commands to view the hash for a file, depending on which type of hash you want to view:

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Some Hashes are Cryptographically Signed for Even More Security

    While hashes can help you confirm a file wasn’t tampered with, there’s still one avenue of attack here. An attacker could gain control of a Linux distribution’s website and modify the hashes that appear on it, or an attacker could perform a man-in-the-middle attack and modify the web page in transit if you were accessing the website via HTTP instead of encrypted HTTPS .

    That’s why modern Linux distributions often provide more than hashes listed on web pages. They cryptographically sign these hashes to help protect against attackers that might attempt to modify the hashes. You’ll want to verify the cryptographic signature to ensure the hash file was actually signed by the Linux distribution if you want to be absolutely sure the hash and file weren’t tampered with.

    RELATED: How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With

    Verifying the cryptographic signature is a more involved process. Read our guide to verifying Linux ISOs haven’t been tampered with for full instructions.

    All live images and rootfs tarballs are available at:

    These files can also be downloaded from other mirrors, which are listed in the documentation. Simply navigate to live -> current to find them.

    The requirements for these images can be found in the documentation. An internet connection via Ethernet or WiFi is required for network installation.

    Verifying file integrity and its digital signature

    It is strongly recommended to validate the integrity and authenticity of any downloaded image or tarball before using it, to ensure it hasn’t been tampered with. Instructions on how to do that are provided in the Void Handbook.

    It will be necessary to download the checksum file and its signature for this step.

    • x86_64
    • i686
    • arm
    • arm platforms


    In addition to the plain command line image, there is a graphical flavor with the XFCE desktop environment. Other graphical environments are fully supported by Void Linux, but are not offered as demonstration/installation images, in order to decrease the overhead involved with testing.

    Installable live images support a local installation (with the included packages) or a network installation (packages are downloaded from official repository).

    You can log into these images as anon or root , and the password is voidlinux .

    Some types of files you download, like ISO images, service packs, and of course entire software programs or operating systems, are often large and high-profile, making them prone to downloading errors and possibly even alterations by malicious third parties. How can you ensure file integrity?

    You can only verify that a file is genuine if the original producer of the file, or another person you trust who has used the file, has provided you with a checksum to compare to. Creating a checksum yourself is useless if you have nothing trustworthy to compare it to.

    What Is a Checksum?

    Fortunately, many websites offer a piece of data called a checksum that can be used to help verify that the file you end up with on your computer is exactly the same as the file they’re providing.

    A checksum, also called a hash or hash value, is produced by running a cryptographic hash function, usually MD5 or SHA-1, on a file. Comparing the checksum produced by running a hash function on your version of the file, with the one published by the download provider, can prove with near certainty that both files are identical.

    Follow the easy steps below to verify a file's integrity with FCIV, a free checksum calculator:

    It should take less than five minutes to verify a file's integrity with FCIV.

    How to Verify File Integrity in Windows With FCIV

    Download and “Install” File Checksum Integrity Verifier, often simply referred to as FCIV. This program is freely available from Microsoft and works on all commonly used versions of Windows.

    FCIV is a command-line tool but don’t let that scare you away. It’s very easy to use, especially if you follow the tutorial outlined below.

    Obviously, if you've followed the tutorial above in the past then you can skip this step. The remainder of these steps assumes that you've downloaded FCIV and placed it in the appropriate folder as described in the link above.

    Navigate to the folder that contains the file that you want to create the checksum value for.

    Once there, hold down the Shift key while right-clicking on any empty space in the folder. In the resulting menu, select Open command window here. Command Prompt will open and the prompt will be preset to this folder.

    For example, if the file is in Tim's Downloads folder, the prompt in the Command Prompt window would read C:\Users\Tim\Downloads> after following this step from the Downloads folder.

    Another way to open Command Prompt from the folder is by erasing everything from the location box at the top of the window and replacing it with cmd.

    Next we need to make sure we know the exact file name of the file you want FCIV to generate the checksum for. You may already know it, but you should double-check to be sure.

    The easiest way to do this is to execute the dir command and then write down the full file name. Type the following in Command Prompt:

    That will generate a list of files in that folder. In this example, we want to create the checksum for a file called AA_v3.exe, so we'll write that down exactly.

    Now we can run one of the cryptographic hash functions supported by FCIV to create a checksum value for this file.

    Let's say that the website we downloaded the file from decided to publish an SHA-1 hash to compare to. This means that we also want to create an SHA-1 checksum on our copy of the file.

    To do this, execute FCIV as follows:

    Be sure you type the entire file name—don't forget the file extension!

    If you need to create an MD5 checksum, end the command with -md5 instead.

    Did you get a "'fciv' is not recognized as an internal or external command. " message? Be sure you've placed the file in an appropriate folder as described in the tutorial linked to in Step 1 above.

    Continuing our example above, here's the result of using FCIV to create an SHA-1 checksum on our file:

    The number/letter sequence before the file name in the Command Prompt window is your checksum.

    Don't worry if it takes several seconds or longer to generate the checksum value, especially if you're trying to generate one on a very large file.

    You can save the checksum value produced by FCIV to a file by adding > filename.txt to the end of the command you executed in Step 5. See How to Redirect Command Output to a File if you need help.

    Do the Checksums Match?

    Now that you've generated a checksum value, you need to see if it equals the checksum value the download source provided for comparison.

    If they match, then great! You can now be completely certain that the file on your computer is an exact copy of the one being provided. It means that there were no errors during the download process and, as long as you're using a checksum provided by the original author or a very trusted source, you can also be sure that the file hasn't been altered for malicious purposes.

    If the checksums don't match, download the file again. If you're not downloading the file from the original source, do that instead. In no way should you install or use any file that didn't perfectly match the checksum provided.

    I tried checksum Fedora Workstation 29 and Fedora KDE Plasma but it’s always fail. Am I doing something wrong, is the tutorial incomplete or the file in the server is corrupted?

    I use Windows -> commands in Powershell:

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    1 Answer 1

    EDIT: This answer was written assuming the iso checking was being conducted in Linux. It turns out it was in Windows. So the local download directory is probably different from what I mention (just substitute your actual download directory), and Windows may not come bundled with a checksum utility.

    Free checksum utilities are readily available. I’ve been away from Windows for awhile, but just Google “windows sha256 checksum” and there are tons of links and recommendations. These are simple utilities, so even old recommendations are likely to be fine. You don’t need anything fancy; anything that runs in your version of Windows and calculates the sha256 hash. So your windows command may be different from what I show below; just follow the simple instructions for the utility you use.

    Every once in awhile, I run into the same problem, where an iso checksum doesn’t match. It seems to happen with some frequency with Fedora. What I’ve discovered is that while many distros have made the checking procedure bulletproof (virtually no chance of getting a corrupt or tampered-with iso), they’ve introduced multiple potential points of failure for good isos. That appears to be the case here. The convoluted procedure is failing for a good iso.

    Just as background, the checksum lets you verify that the iso isn’t corrupted. Until recently, distros just provided the checksum so you could verify that you downloaded a good iso. However, it’s possible for the iso to be tampered with, and the checksum file to also be tampered with. So some of the distros have instituted somewhat convoluted procedures that enable you to have good assurance that the checksum you compare the iso to hasn’t been tampered with.

    It is difficult to do this kind of “undetectable” tampering even to files without these safeguards. Recurring verifications make any such tampering quickly discoverable, and the existence of the new procedures discourage hackers from even trying. So I stopped messing with the problem-prone procedures and just directly compare the iso checksum to the published value the old way. (So I’m only 99.999% protected from vandalism instead of 99.999999999%; I live life on the wild side.)

    The published checksums are in a file in the same repository as the iso. When you download the iso, Fedora takes you to a page with a download link for the checksum file, and the file should already now be in your download directory.

    The procedure you followed has already extracted the published checksum values, which are shown in your question. I just tested KDE, whose checksum begins 5f7103a. You can verify the workstation iso for yourself.

    Just open a terminal and navigate to your Downloads directory (that’s typically the default download location). If it is, and your terminal opens by default to your Home directory, just enter:

    (Note the capitalization). To verify that’s where the download is, type:

    and you should see it.

    Different distros use different checksums. The Fedora ones are sha256. You can generate the checksum with a built-in command:

    It will take a minute for it to process the file, and it will display the checksum value. Compare that to the published value for the same iso. If they match, the chance that you downloaded a corrupted iso are infinitesimal. The chance that you downloaded a vandalized iso with faked checksum (and that it wasn’t already caught if it happened), are vanishingly small.

    I recently paved my main development workstation after it started misbehaving (slow start up, some applications not opening consistently etc) and am trying to be careful about what I install on it going forward.

    Previously I had all manner of applications, games (including Steam) and utilities installed and the chances of finding what was causing the problems was pretty remote. There could of course be multiple culprits.

    Today I needed to install MySQL Workbench so I headed off to download it and noticed the MD5 checksum beneath the link. Now, I don’t always check these and maybe this is why my workstation ended up in a bit of a mess. But with a view to keeping this system as clean as I can I decided to make a point going forward of checking these checksums when they are available.

    The “problem” is which utility do you use to calculate the checksum of the downloaded file?

    If you Google for ‘MD5 checker’ you will see a number of utilities and while I have no reason to doubt the integrity of any of these I stopped short of installing any of them.

    Obviously each download was accompanied by it’s MD5 checksum so that I could verify the file but after freely installing all manner of utilities in the past I was a little bit wary this time around.

    Now, MD5 is not a new thing and you would think that Windows 10 would have some form of utility built in that would calculate the hash – and there is. Apparently it is also available in Windows 7 but I no longer have any systems running Win7 so I cannot verify that.

    Open a command prompt and enter the following:

    Depending on the size of the file it may take a few seconds to run the calculation but if successful the MD5 hash will be displayed as below.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    It is also possible to generate checksums for other hash algorithms by replacing the MD5 parameter used above with any of the following (note that if you don’t specify a value then SHA1 is used by default):

    • MD2
    • MD4
    • MD5
    • SHA1
    • SHA256
    • SHA384
    • SHA512

    So, if all you need is to determine the checksum of a downloaded file then there really isn’t any reason to install yet another utility to do so.

    Sports Team Comedy Troupe Fighter Jet Snake How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Answer: Comedy Troupe

    A programming language doesn’t need a catchy name, but it certainly doesn’t hurt. In 1991 when Guido van Rossum was working on what would become the Python language, he was in search of a good name. His inspiration? Old scripts from Monty Python’s Flying Circus. He liked the sketch comedy of the legendary British comedy troupe and the name, Python, was short and memorable.

    As a result of Rossum’s naming choice, both the Python documentation and educational materials are littered with Monty Python references. The official documentation features obscure references to the group’s work and even the traditional “foo” and “bar” metasyntactic variables normally used in programming literature are replaced with “spam” and “eggs” in Python tutorials.

    More stories

    How to Manually Upgrade Your Nexus Device with Google’s Factory Images

    Google’s Nexus devices are supposed to receive timely updates, but the staggered rollout means it can take weeks for devices to receive over-the-air (OTA) updates. Luckily, there’s a faster (and geekier) way to install the latest version of Android.

    How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With

    Last month, Linux Mint’s website was hacked, and a modified ISO was put up for download that included a backdoor. While the problem was fixed quickly, it demonstrates the importance of checking Linux ISO files you download before running and installing them. Here’s how.

    Geek Trivia: The Floating Dots You See When Looking Up At A Clear Blue Sky Are?

    Think you know the answer? Click through to see if you’re right!

    Why You Shouldn’t Enable “FIPS-compliant” Encryption on Windows

    Windows has a hidden setting that will enable only government-certified “FIPS-compliant” encryption. It may sound like a way to boost your PC’s security, but it isn’t. You shouldn’t enable this setting unless you work in government or need to test how software will behave on government PCs.

    Geek Trivia: The First Book Sold By Was A Tome About?

    Think you know the answer? Click through to see if you’re right!

    How to Remap Buttons on Your PlayStation 4’s Controller

    Sony’s PlayStation 4 offers button remapping for its DualShock 4 controllers. If you don’t like a game’s control scheme, you’re free to switch the buttons around and make it more comfortable. The game doesn’t even need to offer its own button-remapping.

    What is the Longest Cat6 Cable You Can Run Between a PC and a Switch?

    When preparing to run some new cable for your computer, it pays to know what the limitations are so that you do not experience any problems afterwards. With that in mind, today’s SuperUser Q&A post provides some helpful knowledge to a confused reader.

    Geek Trivia: Myst Island, Setting Of The Iconic 1990s Video Game, Was Named After A Novel By?

    Think you know the answer? Click through to see if you’re right!

    How to Turn the Mouse Locator On or Off in OS X

    OS X 10.11 El Capitan includes a new “mouse locator” feature. If you lose your mouse pointer, just shake the mouse or move your finger on the touch pad vigorously, and the mouse pointer will temporarily grow very large so you can see it.

    How to Change the Default Hard Drive for Saving Documents and Apps in Windows 10

    Whenever you save a new file in Windows 10, the Save As window defaults to whichever of your user folders–Documents, Music, Pictures, and so on–is appropriate to the file type. If you’d rather not save files on the C: drive, though, Windows lets you create those folders on another hard drive to act

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    If you’ve just downloaded a file from the Internet, you may want to verify that the downloaded file hasn’t been tampered with. After all, who knows that kind of nefarious fiddling a hacker might have been up to? By checking the MD5, SHA-1 or SHA-256 checksum of a file, you can verify its integrity and ensure the file hasn’t been corrupted or changed.

    What’s a Checksum?

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    A checksum is a short, unique string that results from running an encryption algorithm on a given file. The algorithm looks at all the bits that make up a file and, based on those unique bits, creates a checksum. This checksum will change if even a single bit in the file changes. This means that by comparing two checksums, you can make sure your file hasn’t been damaged or modified. It’s a useful way to defend against file corruption or malicious interference in your downloads.

    The most commonly used algorithms for checksums in MD5. SHA-1 and SHA-256 are also available and are based on cryptographically-secure algorithms. If you can choose from among the three, use SHA-256.

    How Do You Use a Checksum?

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    To use a checksum, you’ll first need to know what a given file’s checksum is. This will have to be provided to you by the same source that provided the file. You’ll run your downloaded file through the same checksum algorithm using one of the tools below. Once you’ve done that, you’ll compare the two strings. If the strings match, the file hasn’t changed. If the strings don’t match, something about your file is different from the original file.

    Verify MD5, SHA-1 and SHA-256 Checksums in Windows 10

    The best way to run checksums in Windows 10 is with a tool called MD5 & SHA Checksum Utility. It will calculate the MD5, SHA-1 and SHA-256 checksums for a given file simultaneously and allow you to compare your result against the provided data.

    1. Download MD5 & SHA Checksum Utility from the developer’s website.

    2. Double-click the downloaded file to launch the program.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    3. Click the “Browse” button to select the file you want to check.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    4. Locate the provided checksum for your downloaded file. Not all downloaded files have checksums available, but open-source or security-conscious developers will frequently provide a checksum. Copy that checksum to the clipboard, then click the “Paste” button in MD5 & SHA Checksum Utility.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    5. If the checksum is the same as the checksum the application calculated, you’ll receive a success message. This means that the file you have is identical to the file that was previously checked.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    If the checksum is different, you’ll get an error message. This means the file has somehow changed since the last checksum was calculated.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Verifying Checksums Within File Explorer

    If you verify checksums frequently, you might be interested in HashTab. The application installs an additional tab in the Properties window of File Explorer. Thanks to being embedded in Explorer, Hashtab can calculate checksums in place without requiring a separate application. By default, it calculates CRC32, MD5 and SHA-1 hash values. Additional hashing algorithms can be enabled in Hashtab’s settings.

    1. Download and install HashTab from the developer’s website.

    2. Right-click on the file you want to run a checksum against and choose “Properties” from the context menu.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    3. Click the tab labelled “File Hashes” at the top of the window to see the MD5, SHA-1 and CRC32 hashes for the file you selected.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    4. Copy and paste the checksum you want to compare against in the “Hash Comparison” dialog box.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    5. If the hash checks out, you’ll see a green checkmark.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    If the hash doesn’t match, you’ll see a red X.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with


    If you want to check the integrity of a file you’ve downloaded, checksums will help you get it done. You can use MD5 & SHA Checksum Utility as a standalone application for calculating and comparing MD5, SHA-1 and SHA-256 checksums or use HashTab for a checksum checking tool that’s integrated into File Explorer.

    What have i done . used the wrong deodorant. brushed my teeth with the sink cleaner ?

    New to this. keep it simple please.

    Condobloke . Outback Australian  fed up with Windows antics. . LINUX IS THE ANSWER . I USE LINUX MINT 18.3  EXCLUSIVELY.

    “A man travels the world in search of what he needs and returns home to find it.

    It has been said that time heals all wounds. I don’t agree. The wounds remain. Time – the mind, protecting its sanity – covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy


    BC AdBot (Login to Remove)


    #2 almodo

    • How to verify a linux iso’s checksum and confirm it hasn’t been tampered with
    • Members
    • 1 posts
    • Gender: Male
    • Local time: 06:11 PM

    That’s a SHA256SUM, not a MD5SUM.

    #3 Condobloke

    Outback Aussie @ 54.2101� N, 0.2906� W

    • Gender: Male
    • Local time: 04:11 AM

    Call off the marines. problem solved. the md5 checking tool I was using is not compatible with windows 10.

    (yes, I know. cnet download. I scanned the result with Sophos and Mbam. all good )

    Works like a dream and the md5’s(OOPS. Sha256’s) are a match !

    Edited to correct md5 to sha256)

    Edited by Condobloke, 03 April 2016 – 09:55 PM.

    Condobloke . Outback Australian  fed up with Windows antics. . LINUX IS THE ANSWER . I USE LINUX MINT 18.3  EXCLUSIVELY.

    “A man travels the world in search of what he needs and returns home to find it.

    It has been said that time heals all wounds. I don’t agree. The wounds remain. Time – the mind, protecting its sanity – covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

    A checksum is a string of numbers and letters that act as a fingerprint for a file against which later comparisons can be made to detect errors in the data. They are important because we use them to check files for integrity. Our digital preservation policy uses the UNESCO definition of integrity.

    How do I check a checksum in Windows?

    Verify the MD5 Checksum Using WindowsOpen Command Prompt.Open your downloads folder by typing cd Downloads. Type certutil -hashfile followed by the file name and then MD5.Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website (and opened in Notepad).

    How do you run checksum?

    WINDOWS:Download the latest version of WinMD5Free.Extract the downloaded zip and launch the WinMD5.exe file.Click on the Browse button, navigate to the file that you want to check and select it.Just as you select the file, the tool will show you its MD5 checksum.

    How do I check the checksum in Windows 10?

    Microsoft provides a tool called File Checksum Integrity Verifier utility that you can use to check the checksum value of a file. Download and extract it. You will have to use it from the Command Prompt. Open Command Prompt and use the cd command to move to the folder you extracted the tool to.

    How do I know if Windows is sha256?

    Open a command prompt window by clicking Start >> Run, and typing in CMD.exe and hitting Enter.Navigate to the path of the sha256sum.exe application.Enter sha256.exe and enter the filename of the file you are checking.Hit enter, a string of 64 characters will be displayed.

    Is there a built in checksum utility on Windows 10?

    Windows 10 (and 7) Built-In MD5 Checksum Calculator.

    What is the sha256 checksum?

    An SHA checksum is a string of letters and numbers that represents a long checksum, also known as a hash code. In this topic by SHA we mean SHA256, an extremely rigorous form. No two files will have the same SHA checksums.

    How do you check a hash file?

    ISO file you got from somewhere and you want to confirm it hasn’t been tampered with. You can look up the hash of that specific ISO file online on the Linux distribution’s website. You can then run it through the hash function on your computer and confirm that it matches the hash value you’d expect it to have.

    How do I find sha256 checksum in Windows 10?

    2. Right-click on the file you want to run a checksum against and choose “Properties” from the context menu. 3. Click the tab labelled “File Hashes” at the top of the window to see the MD5, SHA-1 and CRC32 hashes for the file you selected.

    How do you generate a hash value?

    Hashing involves applying a hashing algorithm to a data item, known as the hashing key, to create a hash value. Hashing algorithms take a large range of values (such as all possible strings or all possible files) and map them onto a smaller set of values (such as a 128 bit number).

    How does hash verification work?

    A cryptographic hash is a checksum or digital fingerprint derived by performing a one-way hash function (a mathematical operation) on the data comprising a computer program (or other digital files). Any change in just one byte of the data comprising the computer program will change the hash value.

    Is hashing reversible?

    Hash functions are not reversible in general. MD5 is a 128-bit hash, and so it maps any string, no matter how long, into 128 bits. Obviously if you run all strings of length, say, 129 bits, some of them have to hash to the same value. Not every hash of a short string can be reversed this way.

    Is hashing secure?

    Encryption is a two-way function; what is encrypted can be decrypted with the proper key. Hashing, however, is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered withThinkstock

    No one ever looks at checksums, claims the attacker behind the Linux Mint breach. That needs to change.

    The attack against Linux Mint’s website, where users were tricked into downloading a modified ISO Linux Mint 17.3 Cinnamon from a Bulgarian server, highlights the risks of downloading software from the Internet. Just because the download link is on the official (thus, trusted) website is not enough to guarantee the software itself is safe. Users have to verify the authenticity of the software themselves.

    “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” project lead Clem Lefebvre posted on the Linux Mint blog. Lefebvre has taken the entire server offline to contain the breach and fix the issues.

    Getting trusted software

    While the general recommendation is to rely on official sources, that advice is not so helpful when the official sources are compromised. In the first postintrusion blog post, the Mint team told users to consult the ISO’s MD5 checksum to ensure the downloaded file matched the string posted on the website. In fact, users should always verify the checksum before installing to make sure the file hasn’t been tampered with.

    Users should look for download links served up over HTTPS and not HTTP where possible, said Wim Remes, a Rapid7 manager. While Lefebvre said HTTPS would not have helped in this specific case, it’s a good thing to look for. “Verify the SSL certificate in case you are questioning the source,” Remes said.

    While MD5 checksums are widely used, they aren’t the best choice for verifying file authenticity because MD5 hashes are weak and can easily be cracked. The more secure alternative would be to generate SHA256 checksums. Even SHA-1, which has its own security weaknesses, would be a better choice than MD5.

    There’s another, more pressing problem with Mint’s advice about using MD5 checksums: If the attacker has access to the website to be able to modify the download links to point to a malicious download, then presumably the attacker can post the modified file’s checksum to the site, which appears to be exactly what happened, according to ZDNet.

    This is why maintainers should adopt signed checksums for their software, and users need to get in the habit of verifying downloads with public keys. In this case, the developers would sign the software with their private key, and the users downloading the software package would verify the signature with the available public key to ensure authenticity.

    With signed checksums, attackers can’t easily put up modified ISOs and fake checksums. Assuming, of course, that attackers don’t somehow steal the private PGP key and password as well. Pro tip: Don’t store the private key and password on the public server.

    To be fair to Mint, the team does sign releases with a PGP key, and the file is available on its download server, but it isn’t easy to find. This isn’t a problem with only Mint, though. Many distributions, even Ubuntu, make it difficult for users to find the signature file, let alone the instructions on how to verify the signature. Tails, the paranoid’s choice of Linux, offers clear instructions on how to verify PGP signatures when downloading the ISO.

    More software developers, not Linux maintainers alone, should adopt the practice.

    The key mistakes

    The attacker compromised the website by exploiting a flaw in WordPress to get a www-data shell. While the site had the most recent build of the popular content management platform, the attackers were able to find a way in because the site used a custom theme and had “lax file permissions for a few hours,” Lefebvre said.

    The team appears to have made other mistakes beyond file permissions. The attackers were able to break into the community forums and related user information. Setting aside the question of whether Mint should be using phpBB — frequently criticized for security vulnerabilities — the database was not properly secured. The person claiming responsibility for the breach posted part of a configuration file on Hacker News showing that Mint had selected the same database username as the database name itself, “lms14.” The database password appeared to be “upMint.”

    Perhaps “the insanely secure db credentials had something to do with the breach? But what would I know,” the poster wrote.

    Anyone who downloaded Linux Mint 17.3 Cinnamon on Feb. 20 should immediately get rid of that file and redownload the correct ISO. If the ISO, which has been modified to run a DDoS botnet, has already been installed, the system should be taken offline and re-installed with the real ISO.

    Remes also suggests using an older, verified version and then using the update/upgrade packages from the repository instead of just grabbing a new ISO.

    The “ shell, php mailer, and full forum dump” was available for sale on underground forums hours after the attack was made public, according to Yonathan Klijnsma, senior threat intelligence analyst for Fox-IT, a Dutch security firm. Anyone who had a forum account should immediately change their passwords if they had been reused on other sites.

    Lefebvre claims this is the first time Linux Mint has experienced anything more serious than a DDoS attack and that communication is important part of recovery. “It’s also important we communicate about this attack because we’re not talking about downtime or inconvenience here, this is a call to action,” he said. People who are affected by the breach need to know what is happening so that “they don’t get hurt or used going forward,” he wrote.

    Fahmida Y. Rashid is a freelance writer who wrote for CSO and focused on information security.

    A hacker modified a version of Linux Mint to contain a backdoor, then hacked the project’s website to trick users into downloading the malicious version.

    Zack Whittaker was the security editor for ZDNet.

    A hacker has broken into the website of one of the most-popular Linux version and pointed users to malicious download links that contained a “modified” version of the software.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with


    The surprise announcement was made Saturday, shortly after the breach was detected.

    In a blog post, Clement Lefebvre, head of the Linux Mint project — said to be the third most-popular version of the open-source operating system after Ubuntu and Fedora — confirmed the breach.

    “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” he said.

    “As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition,” he added. “If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.”

    Lefebvre said only downloads from Saturday were compromised.

    Shortly after the announcement, the project’s website was pulled offline.

    Lefebvre said the hacked download image files — used to install the Linux operating system — were hosted on a server based in Bulgaria. Micah Lee, security engineer and reporter at The Intercept, posted on his blog with more details, saying that the hacker loaded the Tsunami botnet malware on the disk image. Tsunami allows an attacker remote access to an infected machine.

    Lefebvre said in this case the backdoor connects to “,” which at the time of writing does not appear to be online.

    It’s thought the Linux distro’s website and forum was stolen in the breach.

    CSO’s Steve Ragan found an ad on a dark web site claiming to have a “full forum dump” of the site, with a going rate of about 0.197 bitcoin, or about $85 per download. (We were able to verify the listing exists, but could not speak to its authenticity.)

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    A screenshot of the alleged dark-web listing. (Image: ZDNet/CBS Interactive)

    Lefebvre confirmed the site was hacked through its outdated WordPress installation, but he denied that using HTTPS site encryption would have mitigated the attack.

    “You’d be served the exact same hacked information via HTTPS,” he said.

    Lee also criticized the site’s lack of encryption, arguing that the checksums on the site could easily be modified by an attacker to trick the user into downloading a verified build.

    “If a hacker can hack the website to modify the download link, they can modify the checksum at the same time to match their malicious download,” he said.

    “Verifying is PGP signatures is more complicated and harder to explain than comparing checksums, but it’s actually secure. It’s the only way to be sure that a Linux installer ISO you download hasn’t been tampered with since the image was built by the developers,” he added.

    We recently covered MD5 and SHA1 hashes and how you can use them to verify file integrity in Windows. Since most people are browsing the web on their mobile devices these days, it only makes sense to show you how to do the same on Android, especially since many people need to verify the integrity of flashed ROMs and other significant installations that often require root access.

    Although you could easily generate hashes with just one of the following apps, there’s always a chance that some might stop working in the future due to lack of updates or other problems, so we’ve listed the top 4 to make sure you’ll always have a working solution to rely on:

    1. Hash Calc (Checksum Utility)

    Hash Calc is currently the highest rated app of its kind in the Google Play Store with a rating of 4.7. Upon examining its interface, it’s easy to see why it’s leading the pack, with support for MD5, SHA-1, SHA-256, SHA-356, and SHA-512. You can also generate a checksum for a block of text using the Plain Text tab, which is useful for ensuring that a written document or segment of code hasn’t been altered or corrupted from its original form.

    Using Hash Calc is as simple as selecting the hash type you want to calculate and then navigating to the file using the Browse button. After selecting the file, you’ll see the generated hash along with the options to export to a text file, copy to clipboard, save as a starred checksum, or compare to an inputted hash value.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Tapping the Settings menu will let you set the app’s default file browsing directory, show hidden files, and show hidden directories.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    2. HashStamp MD5 & SHA1 Checker

    HashStamp is a much more straightforward and streamlined app, with a simple interface that lets you browse to the file after tapping a generic Folder icon. Selecting a file automatically generates MD5 and SHA1 hashes – the only two hash types supported.

    There’s a Text tab for generating checksums for pasted blocks of text. There’s also a unique option to quickly share generated hashes using a Share button – a benefit that makes this app worthy of the #2 spot.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    3. Checksum MD5 & SHA1

    This is the most basic of all the apps on this list, providing a simple browser directory that you can use to select a file, at which point the MD5 and SHA1 hashes are displayed. As with all other apps on this list, there’s a Verify Against Clipboard feature that lets you compare the generated checksum to a copied value to automatically confirm an exact match.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    4. MD5 Checker

    MD5 Checker is another simplistic app that displays only the MD5 and SHA1 hashes of a selected file. You can select two files and it will compare their hashes. If it’s a match, the strings of letters will turn from red to green. As with the others, there’s a text option so it’s a suitable alternative/backup to keep in mind.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Comparing Checksums to Make Sure the File Hasn’t Been Infected or Altered

    In closing, with malware and adware like RottenSys causing problems related to Android security and functionality, it’s more important than ever to be careful about installing clean files. By comparing the downloaded file’s checksum to the value listed by the official source, you can ensure that you’re not installing an altered or corrupt package.

    Any internet user will need to download files eventually, and most simply have faith that what they are downloading is trustworthy. This doesn’t give much clarity into the contents of the file, but if the file’s author published the original checksum, comparing it to the SHA-256 hash of the downloaded file can ensure nothing was tampered with.

    When we have a file that we need to audit against a checksum provided by the file’s author, we can use open-source cryptographic software to calculate a checksum. Reviewing the checksum is used for situations where maybe you are at a sketchy website or you don’t know if your favorite site is being spoofed.

    How a Hash Works

    Data from a file to be checked is divided into 512-bit blocks. Each block is passed through the SHA-256 algorithm and added to a sum until there is no more data to be added to that number. The final sum of this calculation is our checksum, also known as a hash. You can learn more about how hashing works in the video below.

    In essence, when we calculate a hash, it is a one-way cryptographic function, meaning a change to a single bit will generate a new, seemingly random number that is very hard to arrive at again. If you can cause two different files to generate the same checksum, this creates an extremely rare condition called a collision. This kind of attack is a weakness in SHA-1 and other cryptographic functions but takes significant time and resources to attempt to exploit.

    In this article, I will demonstrate how to compare the SHA-256 hash of a file downloaded with the one provided by the file’s author first on a Windows system, and then on Kali Linux.

    Method 1: Using 7-Zip on Windows

    The first thing we are going to do is download a program for Windows called 7-Zip. This tool isn’t only for comparing the checksum, but also for compressing and decompressing files and folders. You can download that from the official 7-Zip download page. Make sure to download and install the most recent and stable version. It is a very simple to install; just follow the on-screen prompts.

    Next, let’s compare a downloaded hash by going to a website that displays the checksum for a download. For this test, we will be using the download page of VLC media player for Windows. On their site, they helpfully display their checksum in an SHA-256 hash format by clicking the “Display Checksum” button. Stay on this webpage, as we’ll need to compare the hash against that number shortly.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Go to the folder where you downloaded the VLC installation file. After locating it, just right-click on the file and scroll down to the part where it says “CRC SHA.” We will need to choose the correct SHA algorithm, which VLC has provided on their website. In this case, we will select the SHA-256 option by clicking on it in the submenu. Notice you don’t have to open 7-Zip up directly to do this.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Finally, 7-Zip will show the outcome of the checksum. Now, we’ll need to compare this value with the one we were provided by the website. Check back with the VLC website and locate the checksum to compare the values.

    If the contents of the file had been tampered with, the whole checksum would change, so I personally usually look at the last 4 characters. If the number has changed, then we know the download was tampered with or corrupted.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Method 2. Using UNXZ on Kali Linux

    Now let’s open our favorite Linux distro, Kali Linux, and open up the browser.

    To run our test, go to the Kali ISO downloads page to locate our example file to download. For a shorter download, we will be selecting the smallest ISO, the “Kali armel” image, to download. You can choose to download it over HTTP or torrent.

    Once the image has been downloaded, open up a terminal window and use cd to navigate to the folder where you downloaded the file to. There are many ways to unzip a file on Linux, but what worked for me was a command included by default in Kali called unxz. Run it followed by the path to the file to unzip the ISO image you downloaded.

    Once that is extracted, we want to type the following into a terminal window. Make sure “2017.1” is replaced with the current version you downloaded.

    Hit return and the checksum for the file will be displayed in the terminal window. Now, you can compare against the checksum provided by the website. They should match, as shown in the image below.

    How to verify a linux iso’s checksum and confirm it hasn’t been tampered with

    Threats Against Hashing

    There are still attacks about using the checksum method, most recently SHA-1 was demonstrated to be vulnerable to a collision attack, so most users have switched to a new standard protocol with a longer, more secure cryptographic algorithm called SHA-256. There could be people, at this moment, working on a generating a collision attack on SHA-256.

    These techniques can be subverted by tactics like a man-in-the-middle attack. An attacker could simply comprise the web host for that file, replace the real hash with the checksum of their own malicious file, or create a new hash with the attacker’s manipulated file’s checksum value and swap the file for the original on the site. This is exactly what happened to users who downloaded a compromised version of Linux Mint 17.3 Cinnamon edition hosted on a compromised Bulgarian FTP server, so be careful out there!

    SHA-256 — Your Second Set of Eyes

    So that’s it, you can now confirm that the download is in its true form, and was not manipulated in any way. This is just one of many methods for staying safe on the internet while downloading files. In reality, this is a way of being more aware of your surroundings, similar to protecting your PIN number at an ATM. Aside from defending against malicious hackers embedding malware into downloads, it also can be used to detect corrupted files.

    Thanks for reading. Stay connected and check out our social accounts!

    Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.