How to verify your Ubuntu download

NOTE: You will need to use a terminal app to verify an Ubuntu ISO image. These instructions assume basic knowledge of the command line, checking of SHA256 checksums and use of GnuPG.

Verifying your ISO helps insure the data integrity and authenticity of your download. The process is fairly straightforward, but it involves a number of steps. They are:

  1. Download SHA256SUMS and SHA256SUMS.gpg files
  2. Get the key used for the signature from the Ubuntu key server
  3. Verify the signature
  4. Check your Ubuntu ISO with sha256sum against the downloaded sums

After verifying the ISO file, you can then either install Ubuntu or run it live from your CD/DVD or USB drive.

  1. Download sums

    Download the SHA256SUMS and SHA256SUMS.gpg files from any of the mirrors and put them in the same directory.

    Download sums and signature for 16.04 LTS ›

    Verify release screenshot
  2. Get the signature key

    提示: On non-Linux systems, you might need to download the GPG tools for this next step. To check if you have the GPG tools installed, run the command gpg --version或者gpg2 --version.

    Find out what key was used to issue the signature

    Running GnuPG to verify the signature we can find out what key is needed (note: some versions of the gpg command are gpg2).

                    
    gpg --verify SHA256SUMS.gpg SHA256SUMS
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using DSA key ID FBB75451
    gpg: Can't check signature: No public key
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using RSA key ID EFE21092
    gpg: Can't check signature: No public key
                

    Looking at the output, you can see the key IDs are 0xFBB75451 (generated in 2004, deprecated) and 0xEFE21092 (generated in 2012, current).

    Now get the public key from the Ubuntu key server and add them to your keyring.

                      
    gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451 0xEFE21092
    gpg: /Users/lola/.gnupg/trustdb.gpg: trustdb created
    gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" imported
    gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 2
    gpg:               imported: 2
                

    Verify the key fingerprints

                    
    gpg --list-keys --with-fingerprint 0xFBB75451 0xEFE21092
    pub   1024D/FBB75451 2004-12-30
          Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
    uid                  Ubuntu CD Image Automatic Signing Key <[email protected]>
    
    pub   4096R/EFE21092 2012-05-11
          Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
    uid                  Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>
                
  3. Verify signature

    Now you can re-run the original command to verify the signature.

                        
    gpg --verify SHA256SUMS.gpg SHA256SUMS
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using DSA key ID FBB75451
    gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using RSA key ID EFE21092
    gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
                    
    This is an example of a ‘good’ signature. GPG is only validating the integrity of the given file. The warning messages indicate that your current GnuPG trust database does not have trust information for the signing key and that, unless you have actually verified and signed one of the public keys belonging to signers of the Ubuntu ISO image signing key, you will get these warnings.
  4. Check the ISO

    Now you need to generate a sha256 checksum for the downloaded ISO and compare it to the one you downloaded in your SHA256SUM file.

    On Ubuntu, the command to check will look like:

    sha256sum -c SHA256SUMS 2>&1 | grep OK

    On Mac OS X, the command and good output will look like the following.

    shasum -a 256 -c SHA256SUMS 2>&1 | grep OK

    If you’re using Windows, you may need to download a SHA-256 tool first. Once you have, your command will look like:

    ubuntu-16.04-desktop-amd64.iso: OK

    If you get no results (or any result other than that shown above) you will need to check your download again.