How to verify ISO checksums on Linux
If you’ve used Linux for any amount of time, you might notice that many Linux operating system developers ask that you “verify the checksums” after downloading. What is a checksum? It’s a data block that is algorithmically generated. It is used to check for tampering or errors in a file.
In the Linux community, developers use checksums to prevent tampering with operating system downloads. For example, if a hacker got into the Ubuntu.com website and tampered with the ISO files, you’d be able to detect that your download has been tampered with by verifying the checksum.
In this guide, we’ll go over how you can very a checksum on Linux using graphical tools and the terminal as well. In this tutorial, we will be using the latest Linux Mint ISO as an example.
Method 1 – verifying a checksum with the GUI
The best way to verify a checksum on Linux with the GUI is by using the GTKhash utility. It’s an easy-to-use program that doesn’t require a whole lot of advanced knowledge to use. However, it needs to be installed first, as GTKhash is not pre-installed on many Linux operating systems.
To start the installation of GTKhash on Linux, open up a terminal window. To do this, press Ctrl + Alt + T or Ctrl + Shift + T on the keyboard. Then, when the terminal window is open, follow along with the command-line installation instructions outlined below that corresponds with your distribution.
Ubuntu
On Ubuntu Linux, you can easily get the GTKHash application installed by using the Apt command below.
sudo apt install gtkhash
Debian
If you’re a Debian Linux user, you’ll be able to install GTKHash on your computer with the following apt-get command.
sudo apt-get install gtkhash
Arch Linux
On Arch Linux, the GTKHash program is not in the repos. However, there is a third-party Arch Linux software repository that has the app pre-compiled and ready to go. To install it, enter the two commands below.
wget https://lonewolf.pedrohlc.com/chaotic-aur/x86_64/gtkhash-1.4-2-x86_64.pkg.tar.zst sudo pacman -U gtkhash-1.4-2-x86_64.pkg.tar.zst
If you’re not a huge fan of third-party repositories, you can also get the GTKHash app working for Arch Linux by installing it through the AUR using your favorite AUR helper.
Fedora
On Fedora Linux, you’ll be able to install the GTKHash application using the dnf command below.
sudo dnf install gtkhash
OpenSUSE
On OpenSUSE Linux, the GTKHash app is available, but only through a third-party software repository. To install the app, click on this link. Then, select the “1 Click Install” button next to the release of OpenSUSE Linux you use.
Once the GTKHash application is set up on your computer, launch the app by searching for it in the app menu. Then, follow the step-by-step instructions below to learn how to verify checksums using GTKhash.
Step 1: Find the “File” section of GTKHash. It should say “(None)” by default. Click it, and select the ISO file you want to verify. In this guide, we’ll be using Linux Mint 20 Cinnamon as an example.
Step 2: Go to the website from which you downloaded the ISO and locate the checksum hash. It should be a long string of numbers. If you cannot find it, check out the official documentation for your Linux OS.
Step 3: Copy the checksum code to your clipboard. Then, paste it in the “Check” box.
Step 4: Find the “Hash” button at the bottom of the page and click it. GTKHash will compute for a minute and verify the code you posted with the ISO file. If the hash matches, you shouldn’t see any difference from the “Check” box and the output boxes.
Method 2 – Verifying checksum with Terminal
Verifying the checksum with the terminal is simple on Linux, but not nearly as convenient. On most modern Linux distributions, SHA265 hashes are used. However, some use MD5 sums. We will cover both in this section.
To verify a SHA265 checksum, do the following. Again, just like in the GUI section, we will be using the Linux Mint 20 Cinnamon ISO as an example.
Open up a terminal window on the Linux desktop. Then, move the terminal session to where the ISO file is. In this example, it is in “Downloads”.
cd ~/Downloads
Run the sha256sum command on the downloaded ISO file. If the output matches the checksum on the website, it is clean and untampered with. If it does not, it is corrupted and you should not use it.
sha256sum iso-file.iso
To check an MD5 checksum, make use of the md5sum command.
md5sum iso-file.iso
Just like the SHA256 sum, if the output does not match the checksum code on the website, you have a corrupted ISO file, and you shouldn’t use it. If they match, everything is safe to use!