After downloading a fresh version of a Fedora ISO, it is a good habit to get in to to verify the downloaded file. The benefits of verification are two-fold: integrity and security. Verification of your ISO confirms if the file you have downloaded was not corrupted during the Download process. Additionally, it also provides a check to help ensure that the ISO you have downloaded is in fact an ISO that the Fedora Project has published.

Verify with Fedora Media Writer

If you use Fedora Media Writer to download your fresh Fedora media, the verification process is super-simple. Fedora Media Writer automatically verifies your download using the appropriate SHA256 hash and MD5 checksum for the image. More details on this automatic verification is available in the Cryptography README in the Fedora Media Writer repository.

Screenshot of a Fedora Workstation ISO downloading in Fedora Media Writer

 

Verify an ISO manually

Verifying an ISO not obtained using Fedora Media Writer is a little more complicated. It requires you to download a CHECKSUM file for the specific ISO you have, and run a handful of commands in the terminal.

1. Get the CHECKSUM for your ISO

When you download a Fedora ISO from getfedora.org, there is a button in the splash page with a link to the CHECKSUM file. Download this file and save it in the same directory as the ISO image itself. However, if you previously downloaded an ISO, or got it from another source like a torrent, the verify page lists all the current CHECKSUMs.

2. Get the Fedora GPG keys & verify your CHECKSUM

The next step is to check the CHECKSUM file itself. To do this, first download the Fedora GPG public keys, and import them using the gpg utility:

curl https://getfedora.org/static/fedora.gpg | gpg --import

Next, use the gpg utility to verify the CHECKSUM file, for example:

gpg --verify-files Fedora-Workstation-25-1.3-x86_64-CHECKSUM

If your CHECKSUM checks out, you will see a line like this in the output:

gpg: Good signature from "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>"

3. Verify the ISO

Now we are sure the CHECKSUM file itself is valid, use it to validate and check the ISO downloaded, for example:

sha256sum -c Fedora-Workstation-25-1.3-x86_64-CHECKSUM

A line similar to the following line is presented if the ISO that you downloaded is valid. (in this example, the ISO is Fedora-Workstation-Live-x86_64-25-1.3.iso):

Fedora-Workstation-Live-x86_64-25-1.3.iso: OK