Ade Malsasa Akbar contact
Senior author, Open Source enthusiast.
Thursday, April 20, 2017 at 14:29


Verifying checksum for a GNU/Linux image is similar to comparing fingerprints for human. It verifies that your downloaded Ubuntu image is valid or not. By valid here it means it's 100% the same as the file on official server. Whenever it's verified valid, then it's OK for you to use it and further to redistribute. But whenever it's not valid, it means the image is probably corrupted, broken, of even altered by somebody else. This short tutorial shows 3 steps to verify Ubuntu image for beginners.

Subscribe to UbuntuBuzz Telegram Channel to get article updates directly.

What You'll Do?


You will extract the "fingerprint" of your downloaded ISO image and compare it to its official "fingerprint".

1. Find the Checksum First


The official checksum values ("fingerprints") are always available on Ubuntu image download server. They are just TXT files containing image file names and checksum strings. You get them from http://releases.ubuntu.com. You may choose between MD5SUMS, SHA1SUMS, or SHA256SUMS available. Any choice should be OK.

For example, these are checksum links for:

Latest version Ubuntu 17.04 (http://releases.ubuntu.com/zesty/):

MD5SUMS
SHA1SUMS
SHA256SUMS

The MD5SUMS content looks like below:



Old version Ubuntu 12.04 (http://old-releases.ubuntu.com/releases/precise/):

MD5SUMS
SHA1SUMS
SHA256SUMS

The MD5SUMS content looks like below:



2. Verify Downloaded Image


Extract checksum value from your Ubuntu image by running one of three commands: md5sum, sha1sum, or sha256sum. You see the command names are similar to the official checksum files meaning the result should be compared to respective checksum.

These are some examples for verifying a ubuntu-mate-17.04-desktop-amd64.iso image:

MD5SUM Command:
$ md5sum -b ubuntu-mate-17.04-desktop-amd64.iso

Result:

5f9c81873171bb716715c6a2ae8ff722 *ubuntu-mate-17.04-desktop-amd64.iso

SHA1SUM Command:
$ sha1sum -b ubuntu-mate-17.04-desktop-amd64.iso

Result:

14dd7b2c2766e6205ad71100ac99c90b1aa92d1c *ubuntu-mate-17.04-desktop-amd64.iso

SHA256SUM Command:
$ sha256sum -b ubuntu-mate-17.04-desktop-amd64.iso

Result:

acfcf1ab54946c67e99e0503c23385e697046fae45e393661d501100844d9a5d *ubuntu-mate-17.04-desktop-amd64.iso

The long, single alphanumerical strings are the hash checksum values. They are the "fingerprints".


3. Compare Between Your Value and Official Value


Now you just need to compare your checksum value and its official one. The method is truly easy: copy the value > go to your browser > open the official value > Ctrl+F > paste > you should find the search matches. You just need to do this once, for example compare MD5 value with MD5SUMS, that's enough.

Compare MD5 value with MD5SUMS:


Compare SHA1 value with SHA1SUMS:


Compare SHA256 value with SHA256SUMS:


4. How If The Comparison Failed?


While you find your value and the official values are different, it means your downloaded ISO image is not exactly the same as the one available on server. It may be corrupted, or not downloaded completely, or even broken. If that is the case you should re-download the ISO image from start.