When you download a large file such as a Linux distribution in the form of an ISO you should validate it to make sure that the file has downloaded properly.
Jun 24, 2019 The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.
In the past, there have been many ways to validate the authenticity of a file. At the crudest level, you can check the file size or you might check the date the file was created. You could also count the number of files in an ISO or other archive or if you are really keen you could check the size, date, and contents of every file within an archive.
The above suggestions range from ineffective to complete overkill.
Checksum verification works on zip files, executables, iso downloads, or any other type of file. If you are a command line fan, Microsoft has their own unsupported command line checksum utility. Why should you verify a checksum in the first place? Verify the checksum so you don’t deploy malware ridden software! Nov 26, 2018 How to check the checksum of a file in Windows. Many utilities that can be used to verify the checksum of a file in Windows. Below are our favorite options, the Checksum Calculator, an easy to use and compare checksum utility and the FCIV utility from Microsoft, a command line command for showing the checksum.
One method that has been used for a number of years is for the developers of software and Linux distributions to provide an ISO which they send through an encryption method called MD5. This provides a unique checksum.
The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.
This guide will show you how to use Windows and Linux to check the MD5 checksum of a Linux distribution.
Downloading a File With an MD5 Checksum
To demonstrate how to validate the checksum of a file you will need a file that already has an MD5 checksum available for it to compare against.
Most Linux distributions provide either an SHA or MD5 checksum for their ISO images. One distribution that definitely uses the MD5 checksum method of validating a file is Bodhi Linux.
You can download a live version of Bodhi Linux from http://www.bodhilinux.com/.
The linked page has three versions available:
Windows Iso Checksum Software
- Standard;
- AppPack Release;
- Legacy Release.
For this guide, we will be showing the Standard Release version because it is the smallest but you can choose anyone you wish.
You'll want to download TWO files: The actual Bodhi Linux ISO, available at the Download link, and the MD5 File, which you'll want to open in Notepad, as below. You'll compare the checksum you see in the MD5 file with the checksum you'll get from the Command Prompt (below).
- First, download the ISO itself by clicking on the Download link just under the Standard Release section.
- Next to the download link you will see a link called MD5. Click it to download the MD5 checksum file to your computer.
- Next, open the file in Notepad. The contents will be something like this:
Verify the MD5 Checksum Using Windows
To verify the MD5 checksum of the Linux ISO or indeed any other file which has an accompanying MD5 checksum follow these instructions:
- Open Command Prompt.
- Navigate to the downloads folder by typing cd Downloads.Of course, if the file you want to check is not in the Downloads folder, you'll need to type the exact folder name, like cd 'folderpathhere'.
- Type certutil -hashfile followed by the file name and then MD5.
- Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website (and opened in Notepad).
- If the values don't match then the file is not valid and you should download it again.
Verify the MD5 Checksum Using Linux
To verify the MD5 checksum using Linux follow these instructions:
- Open a terminal window by pressing ALT and T at the same time.
- Type cd ~/Downloads, or a different folder name if that's not where your file is stored.
- Enter md5sum followed by the file name.
- The value displayed by the md5sum command should match the md5 in the file displayed using the cat command in step 4.
- If the values do not match there is a problem with the file and you should download it again.
Issues
The md5sum method of checking the validity of a file only works as long as the site you are downloading the software from hasn't been compromised.
In theory, it works well when there are lots of mirrors because you can always check back against the main website.
However, if the main site gets hacked and a link is provided to a new download site and the checksum is changed on the website then you are basically being hoodwinked into downloading something you probably don't want to use.
Here is an article showing how to check the md5sum of a file using Windows. This guide mentions that many other distributions now also use a GPG key to validate their files. This is more secure but the tools available on Windows for checking GPG keys are lacking. Ubuntu uses a GPG key as a means for verifying their ISO images and you can find a link showing how to do that here.
Windows 7 Iso Checksum List
Even without a GPG key, the MD5 checksum is not the most secure method for securing files. It is now more common to use the SHA-2 algorithm.
Windows Iso File
Many Linux distributions use the SHA-2 algorithm and for validating the SHA-2 keys you need to use programs such as sha224sum, sha256sum, sha384sum, and sha512sum. They all work in much the same way as the md5sum tool.