Why verify your downloads?
While in most cases, downloads are free from corruption and tampering, you may wish to verify the integrity of your download to ensure you are getting a clean copy of Ubuntu MATE exactly how the developers intended.
Verifying downloads are particularly important when downloading directly from a server. BitTorrent is secure too as it checks pieces as it downloads.
Check the SHA256 Hash (quick)
On Ubuntu and GNU/Linux
In Ubuntu, and most other distributions, you can verify by using the
command line utility.
- Open the folder containing the download in the terminal.
sha256sumfollowed by the file name of the image.
Compare the hash with the one provided on the Download page.
Checksum utilities are available on the web, such as:
On Mac OS X
sha256 is pre-installed with most versions of OS X.
shasum -a 256 ubuntu-mate-15.10-desktop-amd64.iso
Graphical utilities are also available:
Check using Repository GPG Keys (secure)
This method verifies the hashes published by Canonical are actually authenticate. Unlike performing a quick checksum, the SHA256SUMS file is signed and only Ubuntu’s key can unlock the file to reveal the checksums exactly as Ubuntu published them.
Download a copy of the
SHA256SUMS.gpgfiles from Canonical’s CD Images server for that particular version.
Install the Ubuntu Keyring. This may already be present on your system.
sudo apt-get install ubuntu-keyring
Verify the keyring.
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
Verify the checksum of the downloaded image.
grep ubuntu-16.04-desktop-amd64.iso SHA256SUMS | sha256sum --check
If you see “OK”, the image is in good condition.