Last month, Linux Mint’s website was hacked, and a modified ISO was put up for download that included a backdoor. While the problem was fixed quickly, it demonstrates the importance of checking Linux ISO files you download before running and installing them. Here’s how.
Linux distributions publish checksums so you can confirm the files you download are what they claim to be, and these are often signed so you can verify the checksums themselves haven’t been tampered with. This is particularly useful if you download an ISO from somewhere other than the main site–like a third-party mirror, or through BItTorrent, where it’s much easier for people to tamper with files.
How This Process Works
The process of checking an ISO is a bit complex, so before we get into the exact steps, let’s explain exactly what the process entails:
- You’ll download the Linux ISO file from the Linux distribution’s website–or somewhere else–as usual.
- You’ll download a checksum and its digital signature from the Linux distribution’s website. These may be two separate TXT files, or you may get a single TXT file containing both pieces of data.
- You’ll get a public PGP key belonging to the Linux distribution. You may get this from the Linux distribution’s website or a separate key server managed by the same people, depending on your Linux distribution.
- You’ll use the PGP key to verify that the checksum’s digital signature was created by the same person who made the key–in this case, the maintainers of that Linux distribution. This confirms the checksum itself hasn’t been tampered with.
- You’ll generate the checksum of your downloaded ISO file, and verify it matches the checksum TXT file you downloaded. This confirms the ISO file hasn’t been tampered with or corrupted.
The process may differ a bit for different ISOs, but it usually follows that general pattern. For example, there are several different types of checksums. Traditionally, MD5 sums have been the most popular. However, SHA-256 sums are now more frequently used by modern Linux distributions, as SHA-256 is more resistant to theoretical attacks. We’ll primarily discuss SHA-256 sums here, although a similar process will work for MD5 sums. Some Linux distros may also provide SHA-1 sums, although these are even less common.
Similarly, some distros don’t sign their checksums with PGP. You’ll only need to perform steps 1, 2, and 5, but the process is much more vulnerable. After all, if the attacker can replace the ISO file for download they can also replace the checksum.
How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With
Thanks to Chris Hoffman