How to verify a Fedora ISO file

After downloading a fresh version of a Fedora ISO, it is a good habit to get in to to verify the downloaded file. The benefits of verification are two-fold: integrity and security. Verification of your ISO confirms if the file you have downloaded was not corrupted during the Download process. Additionally, it also provides a check to help ensure that the ISO you have downloaded is in fact an ISO that the Fedora Project has published.

Verify with Fedora Media Writer

If you use Fedora Media Writer to download your fresh Fedora media, the verification process is super-simple. Fedora Media Writer automatically verifies your download using the appropriate SHA256 hash and MD5 checksum for the image. More details on this automatic verification is available in the Cryptography README in the Fedora Media Writer repository.

Screenshot of a Fedora Workstation ISO downloading in Fedora Media Writer

 

Verify an ISO manually

Verifying an ISO not obtained using Fedora Media Writer is a little more complicated. It requires you to download a CHECKSUM file for the specific ISO you have, and run a handful of commands in the terminal.

1. Get the CHECKSUM for your ISO

When you download a Fedora ISO from getfedora.org, there is a button in the splash page with a link to the CHECKSUM file. Download this file and save it in the same directory as the ISO image itself. However, if you previously downloaded an ISO, or got it from another source like a torrent, the verify page lists all the current CHECKSUMs.

2. Get the Fedora GPG keys & verify your CHECKSUM

The next step is to check the CHECKSUM file itself. To do this, first download the Fedora GPG public keys, and import them using the gpg utility:

curl https://getfedora.org/static/fedora.gpg | gpg --import

Next, use the gpg utility to verify the CHECKSUM file, for example:

gpg --verify-files Fedora-Workstation-25-1.3-x86_64-CHECKSUM

If your CHECKSUM checks out, you will see a line like this in the output:

gpg: Good signature from "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>"

3. Verify the ISO

Now we are sure the CHECKSUM file itself is valid, use it to validate and check the ISO downloaded, for example:

sha256sum -c Fedora-Workstation-25-1.3-x86_64-CHECKSUM

A line similar to the following line is presented if the ISO that you downloaded is valid. (in this example, the ISO is

Fedora-Workstation-Live-x86_64-25-1.3.iso

):

Fedora-Workstation-Live-x86_64-25-1.3.iso: OK
Fedora Project community

6 Comments

  1. rugk

    If I could use the Fedora Media Writer, this would be very helpful. However, it is just fundamentally broken. (https://github.com/MartinBriza/MediaWriter/issues/90)

  2. Leslie Satenstein

    Can wget be used in place of curl for the manual mode of iso retrieval?

  3. Yes it can in the format:
    wget https://download.fedoraproject.org/pub/fedora/linux/releases/25/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-25-1.3.iso

    Also to step 2: gpg2 –verify Fedora-Workstation-25-1.3-x86_64-CHECKSUM, is all that is needed. the CHECKSUM file is a SINGLE file

    Also, you can use the same method whilst substituting sha256sum for sha512sum on the Regularly updated Live respins at https;//dl.fedoraproject.org/pub/alt/live-respins which also has a short url of http://tinyurl.com/live-respins. However, there is no gpgkey directly associated with the CHECKSUM for those ISOs themselves, the do use the same gpgkey as the ones produced on https://getfedora.org

  4. Marcus Watts

    Yes.

  5. fmiz

    I’ve never done step 2. Why do you check the checksum signature?

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions