How to verify your Ubuntu download

NOTE: You will need to use a terminal app to verify an Ubuntu ISO image. These instructions assume basic knowledge of the command line, checking of SHA256 checksums and use of GnuPG.

Verifying your ISO helps insure the data integrity and authenticity of your download. The process is fairly straightforward, but it involves a number of steps. They are:

  1. Download SHA256SUMS and SHA256SUMS.gpg files
  2. Get the key used for the signature from the Ubuntu key server
  3. Verify the signature
  4. Check your Ubuntu ISO with sha256sum against the downloaded sums

After verifying the ISO file, you can then either install Ubuntu or run it live from your CD/DVD or USB drive.

  1. Download sums

    Download the SHA256SUMS and SHA256SUMS.gpg files from any of the mirrors and put them in the same directory.

    Download sums and signature for Ubuntu 16.04.1 LTS ›

    Verify release screenshot
  2. Get the signature key

    Tip: On non-Linux systems, you might need to download the GPG tools for this next step. To check if you have the GPG tools installed, run the command gpg --version or gpg2 --version.

    Get the public keys from the Ubuntu key server and add them to your keyring.

                    
    $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092" "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
    gpg: directory `/home/ubuntu/.gnupg' created
    gpg: new configuration file `/home/ubuntu/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/home/ubuntu/.gnupg/gpg.conf' are not yet active during this run
    gpg: keyring `/home/ubuntu/.gnupg/secring.gpg' created
    gpg: keyring `/home/ubuntu/.gnupg/pubring.gpg' created
    gpg: requesting key EFE21092 from hkp server keyserver.ubuntu.com
    gpg: requesting key FBB75451 from hkp server keyserver.ubuntu.com
    gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
    gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
    gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 2
    gpg:               imported: 2  (RSA: 1)
                    
                

    Verify the key fingerprints

                  
    $ gpg --list-keys --with-fingerprint 0xFBB75451 0xEFE21092
    pub 1024D/FBB75451 2004-12-30
    Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
    uid Ubuntu CD Image Automatic Signing Key cdimage@ubuntu.com
    
    pub 4096R/EFE21092 2012-05-11
    Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
    uid Ubuntu CD Image Automatic Signing Key (2012) cdimage@ubuntu.com
                  
                
  3. Verify signature

    Now you can verify the signature.

                        
    $ gpg --verify SHA256SUMS.gpg SHA256SUMS
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using DSA key ID FBB75451
    gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
    gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT using RSA key ID EFE21092
    gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
                    
    This is an example of a ‘good’ signature. GPG is only validating the integrity of the given file. The warning messages indicate that your current GnuPG trust database does not have trust information for the signing key and that, unless you have actually verified and signed one of the public keys belonging to signers of the Ubuntu ISO image signing key, you will get these warnings.
  4. Check the ISO

    Now you need to generate a sha256 checksum for the downloaded ISO and compare it to the one you downloaded in your SHA256SUM file.

    Make sure the downloaded the SHA256SUMS and SHA256SUMS.gpg files are in the same directory as the Ubuntu iso. Then run the following commands in a terminal.

    On Ubuntu, the command to check will look like:

    $ sha256sum -c SHA256SUMS 2>&1 | grep OK

    On macOS, the command and good output will look like the following.

    $ shasum -a 256 -c SHA256SUMS 2>&1 | grep OK

    If you’re using Windows, you may need to download a SHA-256 tool first. Once you have, your command will look like:

    $ sha256sum.exe -c SHA256SUMS

    The output you want will look similar to the following:

    ubuntu-16.04.1-desktop-amd64.iso: OK

    If you get no results (or any result other than that shown above) you will need to check your download again.