help to verify iso image

hi, i would like to install lubuntu, i have downloaded version 20.04.1 LTS (Focal Fossa) via HTTP.
I know I need to verify the integrity and authenticity of the iso image. but I don’t know how to do it, there is a manual but I don’t understand it. I need someone who knows please explain it to me in a simple way. thanks.
sorry for my poor english. I wrote this with a translator. I speak Spanish.

Go to the download page, you will see a link to SHA256SUMS:
It will give a string of numbers. Keep it open. Now, open a terminal in the directory of the iso you downloaded. Type:
sha256sum lubuntu...iso
(type the full name of iso)
It will compute give you a string of numbers. The string in the link I gave and the string your pc computed must match.

You’re in luck. We have a Spanish support subcategory now! See #support:en-espanol


Thanks for answering, but I’m a very newbie and I still don’t get it right. I’m using a raspberry pi with raspdebian and I have in the downloads folder (/ home / pi / Downloads) the file: lubuntu-20.04.1-desktop-amd64.iso plus the files: SHA256SUMS and SHA256SUMS.gpg
what should I do?
Thank you.

Open a terminal.

  1. cd /home/pi/Downloads
  2. sha256sum -c SHA256SUMS

It should say OK.

1 Like

If you also want to make sure the signature itself is authentic, have a look at this:


I get this:
pi @ raspberrypi: ~ $ cd / home / pi / Downloads
bash: cd: too many arguments
pi @ raspberrypi: ~ $ sha256sum -c SHA256SUMS
sha256sum: SHA256SUMS: The file or directory does not exist
pi @ raspberrypi: ~ $

You may want to read this before delving too deeply into using the command line as you are missing some fundamental things.

The cd (“change directory”) command is used to access another folder or directory. The full path of your Downloads folder on a Pi would be /home/pi/Downloads. Note that is not the same as what you used which is / home / pi / Downloads. That’s why there are “too many arguments.” You should be only changing to one folder not six of them (in your command each of these is an argument: home, pi, Downloads, and three instances of /). Spaces separate the parts of a command. If you get that right, the rest should work correctly.

To further clarify things, you downloaded the SHA256SUMS file to the default folder (/home/pi/Downloads). When you enter the terminal, you are in the default folder (/home/pi which is also known as ~ which is why you see that in the prompt). If you cd to a folder that does not exist, you will stay in that folder. Since there is no SHA256SUMS file in that folder, trying to execute a command that uses that file will fail, thus why it says “the file or directory does not exist.”

1 Like

thank you very much for your reply.
i want to install lubuntu on an old laptop.
I’m interested in learning how to use the command terminal, but I don’t intend to do it right now.
Could someone please tell me how to verify step by step the download of lubuntu that I did (in which folder to put the files that commands to enter and all that) thanks for your patience.

  1. Download the ISO file
  2. Download the SHA256SUMS file
  3. Open the terminal
  4. Enter exactly as typed: cd Downloads
  5. Enter exactly as typed: sha256sum -c SHA256SUMS

Walter replied first, so I’d suggest following his instructions.

I haven’t downloaded Lubuntu 20.10 since it was released, I do however have the latest RC (release candidate) to I can release so in my case I’ll just grab the sha256sum file & compare to my RC ISO (which should be identical to the ISO if downloaded)

I download (I’ll use wget command) the sha256sum file, then rename it (I’ll use mv or move as it’s easier than rename)

guiverc@d960-ubu2:/de2900/nix_iso$   cd /de2900/lubuntu_64/
guiverc@d960-ubu2:/de2900/lubuntu_64$   wget
guiverc@d960-ubu2:/de2900/lubuntu_64$   wget

I’ll can’t use Walter’s provided command, as my file has a different name (it’s still got the pre-release name of the RC daily), so I’ll use have my machine to calculate the sha256sum & view the file I downloaded, and in my case will manually compare each character… Walter’s command has the machine do this :slight_smile:

guiverc@d960-ubu2:/de2900/lubuntu_64$   sha256sum groovy-desktop-amd64.iso ; cat groovy-desktop-amd64.sha256sum 
1a4586a246498fdb08dcdb6eddc13f7ac621ccfb4206e040d010cf6cae716fb4  groovy-desktop-amd64.iso
1a4586a246498fdb08dcdb6eddc13f7ac621ccfb4206e040d010cf6cae716fb4 *lubuntu-20.10-desktop-amd64.iso

This requires me to manually compare the two lines string of characters, first being that calculated from my pre-release RC (release candidate) ISO, and the second being the name of the actual groovy ISO. Manually scanning each character, they look the same to me :slight_smile:

Walter’s is more automatic… This is added just in case it’s helpful…

FYI: I wasn’t going to include my earlier cd (change directory) commands were

guiverc@d960-ubu2:~/uwn/issues/661$   cd /de2900/nix_iso/
guiverc@d960-ubu2:/de2900/nix_iso$   cd /de2900/lubuntu_64/
guiverc@d960-ubu2:/de2900/lubuntu_64$   ls -la gro*

where I changed from the last thing I used the terminal for (a UWN or Ubuntu Weekly Newsletter publish task related to issue 611), to the location where I store my *nix ISOs, before realizing I won’t have downloaded it… so I cd again to where I grab the dailies for testing… the ls will list files in that directory to confirm I still had files there… yep.

thanks, finally it worked out. As I understand it, this was the integrity check and it is necessary to do another authenticity check (or something similar), for this it would be the file SHA256SUMS.gpg
Could you tell me how to do it? thanks.

Assuming you have already downloaded the ISO and the SHA256SUMS file:

  1. Download the SHA256SUMS.gpg file
  2. Open the terminal
  3. Enter the following exactly as typed:
    1. cd Downloads
    2. gpg --keyserver --recv-keys D94AA3F0EFE21092
    3. gpg --verify SHA256SUMS.gpg SHA256SUMS

Among the output, you will see a line like so:

gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <>" [unknown]

it turned out fine. thanks for your help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.