3 years ago
The guide below is my newbie way of trying to explain how to check Linux Mint ISO's using MD5 and SHA256 checksums in a Linux or Microsoft Windows system. What is the difference regarding checking via MD5 or SHA256? SHA256 is a much more secure check than an MD5 check. That said, for most purposes MD5 is okay because it's reasonably secure anyway. But in the longer run I would guess Mint will abandon MD5 sums and transfer to SHA256 (or higher) - extra security at no extra price - go for it.
Step 1 - Get a Copy of the Official Checksums File(s)
For checking the MD5 and/or SHA256 of an ISO go here and get a copy of the checksums files for the version of Mint that you want to check: https://ftp.heanet.ie/pub/linuxmint.com/stable/ Tip: just click on the link that is the version number you want to check. (For the purposes of this tutorial I will assume that you want to check an ISO for Mint version 17.3.)
Once you are the correct webpage for the Mint version that you want to check right-click on the link titled md5sum.txt and select "Save Link As..." and save a copy of the text file to your hard-drive. Follow the same procedure for the link titled sha256sum.txt if you want to check the ISO against a SHA256 hash number. If you do this for both files you will now have two text files on your hard-drive titled "md5sum.txt" and "sha256sum.txt" (If your browser doesn't have a right-click and download the text files function then just left-click on the two links and copy and paste the checksums hash information from the webpage into a text editor of your choice - remember to save them as "md5sum.txt" and "sha256sum.txt".)
Now that you have the official checksum numbers on your hard-drive you can check the ISO(s) that you have against those checksums.
Step 2a - Checking the ISO Inside a Linux System
(If you want to do the check inside a Microsoft Windows system then skip this step and goto "Step 2b" below.)
Launch a terminal and type the following (note you will have to adjust the command to suit the full path and exact filename to the ISO file you want to check):
Once the command completes (it will take some time, be patient) highlight and then copy the long complicated hexadecimal number that the command produces. Be VERY CAREFUL when you do this that you select ALL OF THE NUMBER and ONLY THE NUMBER, no extra spaces at the end. Now open the md5sum.txt that you created earlier in a text editor and do the following;
You can then follow the same procedure to check the ISO against the SHA256 checksum - though, obviously, you need to make sure that you do the checking against the checksum information in the sha256sum.txt file you might have created earlier. If you want to do that check the command to use in the terminal is:
Again you will need to provide the correct full path and exact filename for the ISO you are checking.
Step 2b - Checking the ISO Inside a Microsoft Windows System
There are many programs available for Windows that will calculate the checksums of files. One that I am familiar with is the free version of "MD5 & SHA Checksums Utility". You can download a copy here: https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/ (It is a portable program so you don't need to install it to the system.)
Hope this helps.
Just wanted to say thanks - very helpful for mint and Windows.
Dolphin in KDE Plasma 5.8 makes it more convenient to check md5, sha1, and sha256 checksums. Open the folder where file download is and right click on the file, click Properties, and click on the tab Checksum. There is a place to enter/paste the checksum you got at the download site. Click on the correct checksum type and it will calculate and verify checksum.
Thanks. Very helpful.
Ok, but this subject has already been covered in other tutorials
Reply from mods:
That is Linux Mint's primary mirror site.
reported to mods.
The steps you provide are a good way to verify no errors happened during downloading of the ISO file. Either MD5 or SHA256 is suitable for that. SHA256 is IMHO only more secure if one verifies the origin of the sha256sum.txt file using the GPG signature as detailed on ttps://linuxmint.com/verify.php. Without that step SHA256 is perfectly suitable to check for download errors but without verifying the origin of the sha256sum.txt file it's not more secure than MD5.
My question is... What makes the checksums from this unverified ftp-site any more secure than the checksums provided by Mints official site?
IMHO a checksum from any unverified site is more unsure than not doing the checksum verification at all.