How to Verify a Mint ISO File Using MD5 and SHA256 Checksums (Hash) Files

Radish
  7 years ago
  5

The guide below is my newbie way of trying to explain how to check Linux Mint ISO's using MD5 and SHA256 checksums in a Linux or Microsoft Windows system. What is the difference regarding checking via MD5 or SHA256? SHA256 is a much more secure check than an MD5 check. That said, for most purposes MD5 is okay because it's reasonably secure anyway. But in the longer run I would guess Mint will abandon MD5 sums and transfer to SHA256 (or higher) - extra security at no extra price - go for it.

 

Step 1 - Get a Copy of the Official Checksums File(s)

For checking the MD5 and/or SHA256 of an ISO go here and get a copy of the checksums files for the version of Mint that you want to check: https://ftp.heanet.ie/pub/linuxmint.com/stable/  Tip: just click on the link that is the version number you want to check. (For the purposes of this tutorial I will assume that you want to check an ISO for Mint version 17.3.)

Once you are the correct webpage for the Mint version that you want to check right-click on the link titled md5sum.txt and select "Save Link As..." and save a copy of the text file to your hard-drive. Follow the same procedure for the link titled sha256sum.txt if you want to check the ISO against a SHA256 hash number. If you do this for both files you will now have two text files on your hard-drive titled "md5sum.txt" and "sha256sum.txt" (If your browser doesn't have a right-click and download the text files function then just left-click on the two links and copy and paste the checksums hash information from the webpage into a text editor of your choice - remember to save them as "md5sum.txt" and "sha256sum.txt".)

Now that you have the official checksum numbers on your hard-drive you can check the ISO(s) that you have against those checksums.

 

Step 2a - Checking the ISO Inside a Linux System

(If you want to do the check inside a Microsoft Windows system then skip this step and goto "Step 2b" below.)

Launch a terminal and type the following (note you will have to adjust the command to suit the full path and exact filename to the ISO file you want to check):

md5sum /path/to/the/ISO/linuxmint-17.3-cinnamon-64bit.iso

Once the command completes (it will take some time, be patient) highlight and then copy the long complicated hexadecimal number that the command produces. Be VERY CAREFUL when you do this that you select ALL OF THE NUMBER and ONLY THE NUMBER, no extra spaces at the end. Now open the md5sum.txt that you created earlier in a text editor and do the following;

  1. Use the Search function of the text editor and paste the MD5 number you got for the ISO from the terminal command into the Search Text-box.
  2. Now click on the Search button
  3. If the Search function finds a match then your ISO is fine.
  4. If the Search function does not find a match then your ISO is either hacked or you have a faulty/corrupted downloaded ISO. (However, you should double check that you correctly copied the hexadecimal number properly.)


You can then follow the same procedure to check the ISO against the SHA256 checksum - though, obviously, you need to make sure that you do the checking against the checksum information in the sha256sum.txt file you might have created earlier. If you want to do that check the command to use in the terminal is:

sha256sum /path/to/the/ISO/linuxmint-17.3-cinnamon-64bit.iso

Again you will need to provide the correct full path and exact filename for the ISO you are checking.

 

Step 2b - Checking the ISO Inside a Microsoft Windows System

There are many programs available for Windows that will calculate the checksums of files. One that I am familiar with is the free version of "MD5 & SHA Checksums Utility". You can download a copy here: https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/  (It is a portable program so you don't need to install it to the system.)

 

  1. Now launch the "MD5 & SHA Checksum Utility" that you downloaded. In the hash-type selections tick MD5 and/or SHA-256.
  2. Click on the Browse button and in the file selector drill to the ISO file you want to check, click on that ISO and then click the Open button. The program will now generate the checksum(s) for the ISO you selected. (This might take some time so be patient.)
  3. Now open the "md5sum.txt" and/or the "sha256sum.txt" that you created earlier and from one of them copy the hexadecimal hash number for the ISO you want to check into the clipboard. You must be VERY CAREFUL when you do this that you select ALL OF THE NUMBER and ONLY THE NUMBER, no extra spaces at the beginning or the end.
  4. Now paste the hexadecimal number you copied into "Hash:" field of the program dialogue window, then click the Verify button. The program will now tell you if the hash number matches.
  5. If the hash numbers do not match then your ISO is either hacked or you have a faulty/corrupted downloaded ISO. (However, you should double check that you correctly copied the hexadecimal number properly.)

==================================================

Hope this helps.  smiley

Comments
neilrahc 6 years ago

Just wanted to say thanks - very helpful for mint and Windows.


lmkdetester 6 years ago

Dolphin in KDE Plasma 5.8 makes it more convenient to check md5, sha1, and sha256 checksums. Open the folder where file download is and right click on the file, click Properties, and click on the tab Checksum. There is a place to enter/paste the checksum you got at the download site. Click on the correct checksum type and it will calculate and verify checksum.


androgeek 7 years ago

Thanks


kepler19 7 years ago

Thanks. Very helpful.


remoulder 7 years ago

Ok, but this subject has already been covered in other tutorials


jahid_0903014 7 years ago

Reply from mods:

That is Linux Mint's primary mirror site.


jahid_0903014 7 years ago

reported to mods.


xenopeek 7 years ago

The steps you provide are a good way to verify no errors happened during downloading of the ISO file. Either MD5 or SHA256 is suitable for that. SHA256 is IMHO only more secure if one verifies the origin of the sha256sum.txt file using the GPG signature as detailed on ttps://linuxmint.com/verify.php. Without that step SHA256 is perfectly suitable to check for download errors but without verifying the origin of the sha256sum.txt file it's not more secure than MD5.


Hammer459 7 years ago

My question is... What makes the checksums from this unverified ftp-site any more secure than the checksums provided by Mints official site?
IMHO a checksum from any unverified site is more unsure than not doing the checksum verification at all.