When you Download an ISO file from the internet, you don't know if that ISO file is legit and it has not been tampered with.
The only way to verify if that ISO file is legit and that is safe to use, you can do so by checking its integrity and authenticity, by comparing the original SHA256 SUM with SHA256 sum of the ISO that you downloaded.
When it comes to Linux Mint. Linux Mint is legit and safe to use. However, users often don't pay attention to the source from where they are downloading its ISO file.
In this tutorial, you will learn how to check and verify the integrity and authenticity of Linux Mint ISO file.
Step 1 - Download Linux Mint ISO
To download a Linux Mint ISO is quite easy. Navigate to Linux Mint's official website, and choose the version that you want to download.
When you click the download button, it should take you to the mirror section, in this section you need to select the mirror that you want to use to download Linux Mint ISO file.
For example, we are downloading Linux Mint from "Harvard School of Engineering"
You should select a mirror that is closer to your location so you don't have downloading issues.
As you already know, these mirrors are third party mirrors, that's why you need to check and verify the authenticity of the ISO that you are downloading.
Step 2 - Download sha256SUM file
Next, download the sha256sum files.
On the same source from where you downloaded the ISO file, you can also download sha256sum.txt and sha256sum.txt.gpg.
We used "Hardvard School of Engineering" as mirror to download Linux Mint ISO. If you can't seem to find sha256sum files on this mirror, make sure to navigate to the right path.
The direct link of the ISO file looks like this
https://mirrors.seas.harvard.edu/linuxmint/stable/21.2/linuxmint-21.2-xfce-64bit.isoTo find sha256sum files, you need to browse to the directory where Linux Mint ISO is uploaded.
https://mirrors.seas.harvard.edu/linuxmint/stable/21.2/Step 3 - Verify Linux Mint ISO Integrity and Authenticity
Once you have downloaded the ISO file and sha256sum files, change directory to downloads.
cd Downloads
If you are using a custom path as Download directory, then simply replace Downloads above with your directory.
Now to verify Integrity of Linux Mint ISO, run the command below
sha256sum -b *.isoThe command above will check for sha256 sums for any ISO file that you have, so if you have multiple ISO files on Downloads directory, running the command above will display sha256 sum for all the ISO files. If you want to check the sha256 sum for Linux Mint only, then you can do so by replacing *.iso with the name of Linux Mint ISO
sha256sum -b linuxmint-21.2-xfce-64bit.isoNext, you should see the generated sha256sum on your terminal as shown in the image below.
Now you need to copy the sha256sum and compare it with the sha256sum that is in the sha256sum.txt file
You can do this easily by using the grep function
grep -R "e532dca4f28a88e52587a0e1af14236b233d2cec629d9f93e7c92383b4490a55" /home/user/Downloads/sha256sum.txtThe command above will search for your sha256sum in the sha256sum.txt file, and if found it will show it on your terminal as shown below
This means both sha256sums are the same.
To check for the Authenticity of the Linux Mint ISO, you need first to import Linux Mint GPG KEY on your system. To do this, simply run the command below
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
After importing Linux Mint GPG key on your system, change directory to Downloads, assuming you downloaded sha256sum files on Downloads directory, and run the command below
gpg --verify sha256sum.txt.gpg sha256sum.txtThe command above should give you a similar output on your terminal
owlhowto@debian:~/Downloads$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Thu 13 Jul 2023 12:06:28 PM EDT
gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
Make sure that the fingerprint is the same with the original Fingerprint
27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09That's it!
Conclusion
In this tutorial, you learned how to check the Integrity and Authenticity of Linux Mint ISO file step by step. We also explained how to find sha256sum files on the mirror where you download the ISO file.
