How to verify ISO images

How to verify ISO images

This page explains how to verify their integrity and authenticity.

It is important to verify the integrity and authenticity of your ISO image.

The integrity check confirms that your ISO image was properly downloaded and that your local file is an exact copy of the file present on the download servers. An error during the download could result in a corrupted file and trigger random issues during the installation.

The authenticity check confirms that the ISO image you downloaded was signed by Linux Mint, and thus that it isn’t a modified or malicious copy made by somebody else.


1. Create a directory called “ISO” in your home directory.

2. Move the ISO image you downloaded in this directory.

3. Download the following files (right-click -> Save As…) and move them into the “ISO” directory.

Your ~/ISO directory should now contain 3 files: Your ISO image, the sha256sum.txt file and the sha256sum.txt.gpg file.

Don’t modify these files in any way.

Integrity check

To verify the integrity of your ISO image, generate its SHA256 sum and compare it to the one found in the sha256sum.txt file.

In most Linux distributions the SHA256 sum can be generated by opening a terminal and running the following commands:

cd cd ISO sha256sum -b *.iso

The last command should show you the SHA256 sum of your ISO file. Compare it to the one found in the sha256sum.txt. If they match, you’ve successfully verified the integrity of your ISO image.

Note: If you have coreutils version 8.25 or newer, another way of checking the sum is to ask the sha256sum command to check the file against the sha256sum.txt file, like this:

sha256sum –ignore-missing -c sha256sum.txt

Authenticity check

To verify the authenticity of the sha256sum.txt file, we need to check the signature on the sha256sum.txt.gpg file.

1. Import the Linux Mint signing key:

2. Verify the authenticity of the sha256sum.txt file:

cd cd ISO gpg –verify sha256sum.txt.gpg sha256sum.txt

Note: Unless you trusted this signature in the past, or a signature which trusted it, GPG should warn you that the signature is not trusted. This is expected and perfectly normal.