How to Verify Downloads

Why verify your downloads?

While in most cases, downloads are free from corruption and tampering, you may wish to verify the integrity of your download to ensure you are getting a clean copy of Ubuntu MATE exactly how the developers intended.

Verifying downloads are particularly important when downloading directly from a server. BitTorrent is secure too as it checks pieces as it downloads.

Check the SHA256 Hash (quick)

On Ubuntu MATE

On current Ubuntu MATE versions (18.04 LTS and newer), caja-gtkhash is pre-installed and allows you to perform checksums from within the file browser.

  • Navigate to the file in the Caja file manager.
  • Open the file’s properties.
  • Either via the menu bar: File → Properties
  • Or right click the file → Properties.
  • Choose Digests tab
  • Copy the SHA256SUM checksum from the download page and paste into Check field

Note: To make calculation faster, it’s only necessary to check the checksums you have values for.


On GNU/Linux distributions: GtkHash (GUI)

This method uses an application called GtkHash. This can be installed via your distribution’s software manager.

  • Launch GtkHash
  • Select ISO in File chooser
  • Copy the SHA256SUM checksum from the download page and paste into Check field
  • Click Hash
  • Ensure you have green checkmark near one of the calculated checksums

On GNU/Linux distributions: Command Line

A majority of other distributions come with sha256sum pre-installed.

  1. Open the folder containing the download in the terminal.

  2. Type sha256sum followed by the file name of the image.

    sha256sum ubuntu-mate-15.10-desktop-amd64.iso
    
  3. Compare the hash with the one provided on the Download page.


On Windows

Checksum utilities are available on the web, such as:


On Mac OS X

sha256 is pre-installed with most versions of OS X.

shasum -a 256 ubuntu-mate-15.10-desktop-amd64.iso

Graphical utilities are also available:


Check using Repository GPG Keys (secure)

This method verifies the hashes published by Canonical are actually authentic. Unlike performing a quick checksum, the SHA256SUMS file is signed and only Ubuntu’s key can unlock the file to reveal the checksums exactly as Ubuntu published them.

Ubuntu

  1. Download a copy of the SHA256SUMS and SHA256SUMS.gpg files from Canonical’s CD Images server for that particular version.

  2. Install the Ubuntu Keyring. This may already be present on your system.

    sudo apt-get install ubuntu-keyring
    
  3. Verify the keyring.

    gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
    
  4. Verify the checksum of the downloaded image.

    grep ubuntu-mate-18.04-desktop-amd64.iso SHA256SUMS | sha256sum --check
    
  5. If you see “OK”, the image is in good condition.

    ubuntu-mate-18.04-desktop-amd64.iso: OK