How to verify ISO images

This page explains how to verify their integrity and authenticity.

Select the Linux Mint release you downloaded:


1. Create a directory called "ISO" in your home directory.

2. Move the ISO image you downloaded in this directory.

3. Download the following files and move them into the "ISO" directory.

Your ~/ISO directory should now contain 3 files: Your ISO image, the sha256sum.txt file and the sha256sum.txt.gpg file.

Integrity check

To verify the integrity of your ISO image, generate its SHA256 sum and compare it to the one found in the sha256sum.txt file.

In most Linux distributions the SHA256 sum can be generated by opening a terminal and running the following commands:

cd ISO
sha256sum -b *.iso

The last command should show you the SHA256 sum of your ISO file. Compare it to the one found in the sha256sum.txt. If they match, you've successfully verified the integrity of your ISO image.

Note: If you have coreutils version 8.25 or newer, another way of checking the sum is to ask the sha256sum command to check the file against the sha256sum.txt file, like this:

sha256sum --ignore-missing -c sha256sum.txt

Authenticity check

To verify the authenticity of the sha256sum.txt file, we need to check the signature on the sha256sum.txt.gpg file.

1. Import the Linux Mint signing key:

Note: If gpg complains about the key ID, try the following commands instead:

2. Verify the authenticity of the sha256sum.txt file:

cd ISO
gpg --verify sha256sum.txt.gpg sha256sum.txt

Note: Unless you trusted this signature in the past, or a signature which trusted it, GPG should warn you that the signature is not trusted. This is expected and perfectly normal.