How to Verify Downloads

Why verify your downloads?

While in most cases, downloads are free from corruption and tampering, you may wish to verify the integrity of your download to ensure you are getting a clean copy of Ubuntu MATE exactly how the developers intended.

Verifying downloads are particularly important when downloading directly from a server. BitTorrent is secure too as it checks pieces as it downloads.

Check the SHA256 Hash (quick)

On Ubuntu and GNU/Linux

In Ubuntu, and most other distributions, you can verify by using the sha256sum command line utility.

  1. Open the folder containing the download in the terminal.

  1. Type sha256sum followed by the file name of the image.

    sha256sum ubuntu-mate-15.10-desktop-amd64.iso
    
  2. Compare the hash with the one provided on the Download page.


On Windows

Checksum utilities are available on the web, such as:


On Mac OS X

sha256 is pre-installed with most versions of OS X.

shasum -a 256 ubuntu-mate-15.10-desktop-amd64.iso

Graphical utilities are also available:


Check using Repository GPG Keys (secure)

This method verifies the hashes published by Canonical are actually authenticate. Unlike performing a quick checksum, the SHA256SUMS file is signed and only Ubuntu’s key can unlock the file to reveal the checksums exactly as Ubuntu published them.

Ubuntu

  1. Download a copy of the SHA256SUMS and SHA256SUMS.gpg files from Canonical’s CD Images server for that particular version.

  2. Install the Ubuntu Keyring. This may already be present on your system.

    sudo apt-get install ubuntu-keyring
    
  3. Verify the keyring.

    gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
    
  4. Verify the checksum of the downloaded image.

    grep ubuntu-16.04-desktop-amd64.iso SHA256SUMS | sha256sum --check
    
  5. If you see “OK”, the image is in good condition.

    ubuntu-mate-15.10-desktop-amd64.iso: OK