Tutorials

How to Verify a Linux ISO Download with SHA-256 (Step by Step)

📅 2026-05-12 ⏱ 8 min read ← Back to Blog

Linux ISO downloads are big (4-8 GB), come over public mirrors, and are exactly the kind of file an attacker would love to replace with a backdoored version. Every major distribution publishes cryptographic checksums and signatures for exactly this reason. Verifying them takes 60 seconds and gives you confidence that what you're about to install is what the distribution actually released.

The two-step verification

Step 1: Verify the ISO's SHA-256 matches the published checksum (catches corruption + most tampering)
Step 2: Verify the SHA256SUMS file itself was signed by the distribution's GPG key (catches attacks where someone replaced both the ISO and the checksum)
Skipping Step 2 is fine for casual use. Skipping Step 1 is not.

Why two steps

An attacker who controls a mirror or your network connection could substitute a malicious ISO. But if you're checking the ISO's hash against the distribution's official checksum file, you'd catch them — unless the attacker also substitutes the checksum file with one that matches the malicious ISO.

That's why Linux distributions sign their SHA256SUMS file with a GPG key whose public half is published in many independent places (the distribution's main site, multiple key servers, sometimes mirrored on third-party sites). Verifying the signature proves the checksum file is genuine.

For most users, Step 1 alone is sufficient — you're checking your ISO against a value you got over HTTPS from the official site, which is hard for a random attacker to manipulate. Step 2 is the paranoid mode: it defends against a compromise of the distribution's website or CDN.

Step 1: Verify the SHA-256 hash

Get the published hash

Every major distribution publishes hashes on their download page. For Ubuntu, look for "verify your download" or "checksums" on the same page as the ISO link. The file is usually called SHA256SUMS and looks like this:

8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...  *ubuntu-24.04.iso
a1c3...                                        *ubuntu-24.04-server.iso

The asterisk means "binary mode" — not significant for verification.

Hash your downloaded file

On Linux:

$ sha256sum ubuntu-24.04.iso
8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...  ubuntu-24.04.iso

On macOS:

$ shasum -a 256 ubuntu-24.04.iso
8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...  ubuntu-24.04.iso

On Windows (PowerShell):

PS> Get-FileHash -Algorithm SHA256 .\ubuntu-24.04.iso
Algorithm  Hash
---------  ----
SHA256     8762F7E74E4D64D72FCEB5F70682E6B069DA9E5A6...

Compare

The two hashes must match character-for-character (case-insensitive). If they match, your ISO is authentic to whatever the publisher posted. If even one character differs, redownload and try again.

Or use the automated check

If you downloaded both SHA256SUMS and the ISO into the same directory, Linux/Mac will check the entire file in one command:

$ sha256sum -c SHA256SUMS --ignore-missing
ubuntu-24.04.iso: OK

The --ignore-missing flag is important — the SHA256SUMS file probably lists multiple variants (desktop, server, network installer) and you only downloaded one of them.

Step 2: Verify the SHA256SUMS signature (optional)

For Ubuntu, the signed file is usually called SHA256SUMS.gpg. For Fedora, Fedora-Workstation-checksum-...-x86_64-CHECKSUM is clearsigned. The mechanics are slightly different but the concept is the same.

Ubuntu example

# 1. Download the signature
$ wget https://releases.ubuntu.com/24.04/SHA256SUMS.gpg

# 2. Import the Ubuntu CD Image Automatic Signing Key
$ gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com \
      --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092

# 3. Verify the signature
$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu Apr 25 18:38:54 2024 UTC
gpg:                using RSA key D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) ..."

The output you want to see: "Good signature". If you see "BAD signature" the SHA256SUMS file has been tampered with. If you see "Can't check signature: No public key" you need to import the right key first.

Verify the key fingerprint independently

The key fingerprint should also be published on multiple sources you trust:

Ubuntu's wiki: SecurityTeam/FAQ
Multiple keyservers (Ubuntu, MIT)
Sometimes packaged in your distro's ubuntu-keyring package

If all three sources show the same fingerprint, you can be confident the key is authentic.

Distribution-specific notes

Ubuntu

SHA256SUMS and SHA256SUMS.gpg published next to the ISO at releases.ubuntu.com
Signing keys 0x46181433FBB75451 (2012) and 0xD94AA3F0EFE21092 (also 2012, still valid)

Fedora

Checksum files are clearsigned (signature embedded inline)
Use gpg --verify Fedora-Workstation-...-CHECKSUM
Fedora project public key fingerprint listed at fedoraproject.org/security

Debian

SHA256SUMS published per release in cdimage.debian.org
Signed with the Debian CD signing key
Key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

Arch Linux

sha256sums.txt alongside the ISO
Separate .sig files for ISO signatures (rather than SHA256SUMS being signed)
Signed by Pierre Schmitz; fingerprint listed on the Arch wiki

Common failures

"Good signature" but hash mismatch

The SHA256SUMS file is authentic but your ISO doesn't match. Almost always means a corrupted download. Try a different mirror.

"Hash matches" but no signature check

You verified Step 1 but skipped Step 2. Fine for casual use. Not adequate for production deployment or compliance scenarios.

Hash mismatch on every mirror

Either the distribution updated the ISO without updating SHA256SUMS (rare but happens around release time), or your copy of SHA256SUMS is stale. Re-download SHA256SUMS from the official site.

GPG can't verify: missing public key

You haven't imported the signing key. Use gpg --recv-keys <keyid> or gpg --import keyfile.

GPG: BAD signature

The SHA256SUMS file does not match the signature. Either the file has been tampered with, or it was corrupted in transit, or you're using the wrong signature file. Don't trust this download.

What if you don't have a terminal?

For ISO verification on a locked-down machine, you can compute the SHA-256 in your browser. Drop the ISO into our File Hash tool — the hash is computed locally using the browser's Web Crypto API. No upload, no server, just JavaScript reading the file and computing the hash. A 4GB ISO takes about 10-15 seconds on a modern laptop.

This handles Step 1 well. Step 2 (GPG verification) still requires command-line tools.

Use our Hash Verifier to compare a published ISO hash against your downloaded file in one paste-and-drop. Auto-detects the algorithm from hash length so you don't need to know whether you're checking SHA-256 or SHA-512.