MeshWorld India LogoMeshWorld.
SecurityChecksumsGPGLinuxHow-To5 min read

How to Verify File Integrity: Checksums and GPG Signatures Explained

Arjun
By Arjun
|Updated: Jul 14, 2026
How to Verify File Integrity: Checksums and GPG Signatures Explained

You downloaded a 4GB Ubuntu ISO from a mirror you don’t fully trust. The file looks right. The filename matches. But without verification, you have no proof the bytes weren’t swapped, truncated, or tampered with in transit.

Checksums and GPG signatures exist to solve exactly that problem. They’re not paranoia; they’re standard practice for Linux distributions, security tools, and any software where a compromised binary could own your machine.

Last updated: July 13, 2026

Key Takeaways

  • SHA-256 checksums detect accidental corruption and simple tampering—compare the hash of your file against the publisher's published value.
  • GPG signatures prove the file was signed by the project's key—protects against mirror compromise, not just bit-flips.
  • Linux distros publish both: always verify GPG when available, checksum as a minimum.
  • On Windows, use CertUtil; on macOS, use shasum -a 256; on Linux, use sha256sum.
  • Repack sites that publish hash files (e.g. FitGirl) should be checked the same way before you run installers.

Prerequisites

  • The file you want to verify (ISO, archive, installer)
  • The published checksum or signature from the official project page
  • Terminal access (Linux/macOS) or Command Prompt (Windows)
  • For GPG: gpg installed (sudo apt install gnupg on Debian/Ubuntu)

File checksum and GPG verification conceptual diagram Image Prompt: A premium hand-drawn sketch note style illustration showing a file verification process, depicting how an ISO file is run through a hashing function to compare its checksum against the official hash.

What is the difference between a checksum and a GPG signature?

MethodWhat it provesProtects against
SHA-256 checksumYour file’s bytes match the expected hashCorruption, truncated downloads, simple substitution
GPG signatureA trusted key holder vouched for this exact fileMalicious mirrors, supply-chain swaps

A checksum alone doesn’t tell you who published the expected value—if an attacker controls the download page, they can publish a matching hash for their malware. GPG closes that gap by tying the file to a cryptographic identity.

The Scenario: Ubuntu publishes SHA256SUMS and SHA256SUMS.gpg. You verify the GPG signature on the sums file first, then compare your ISO’s hash against the signed list. A compromised mirror can’t fake both steps without the project’s private key.


How do you verify a SHA-256 checksum on Linux?

Download the file and the published checksum side by side from the official project site—not a third-party mirror’s copy of the checksum unless you trust the mirror chain.

Step 1: Generate the hash of your file:

bash
sha256sum ubuntu-24.04.2-desktop-amd64.iso

Step 2: Compare the output to the value in the project’s SHA256SUMS file:

bash
grep ubuntu-24.04.2-desktop-amd64.iso SHA256SUMS
sha256sum -c SHA256SUMS --ignore-missing

The -c flag reads the sums file and reports OK or FAILED for each entry.


How do you verify a SHA-256 checksum on macOS and Windows?

macOS:

bash
shasum -a 256 your-file.iso

Windows (Command Prompt):

cmd
certutil -hashfile your-file.iso SHA256

Compare the output character-for-character with the published hash. One mismatched character means the file is not authentic.


How do you verify a GPG signature on a Linux ISO?

Most distributions sign their checksum files. Ubuntu’s process is representative:

Step 1: Import the project’s signing key (one-time):

bash
gpg --keyid-format long --recv-keys 0x843938DF228D22F7B3742BC0D94AA3F0EFE21092

Step 2: Download SHA256SUMS and SHA256SUMS.gpg from the official release page.

Step 3: Verify the signature on the sums file:

bash
gpg --verify SHA256SUMS.gpg SHA256SUMS

You want Good signature from ... in the output. Warnings about trust level are normal on first import.

Step 4: Verify your ISO against the now-trusted sums file:

bash
sha256sum -c SHA256SUMS --ignore-missing

How do you verify hash files from repack or third-party releases?

Some repack publishers include SHA-256 or MD5 hash files alongside downloads. The process is the same—hash your downloaded archive and compare—but the trust model is different:

  • You’re trusting the repack operator’s reputation, not a distro’s GPG web of trust
  • Hash files on the same page as the download don’t protect against a fully compromised site
  • Combine hash verification with source reputation and network traffic auditing if anything behaves unexpectedly after install

For context on which repack sources publish verifiable hashes, see our torrenting sites safety ranking.


What are common verification mistakes?

  • Skipping verification because the download “looked fine”: corruption and tampering are invisible at the GUI level
  • Copying the hash from a forum post: always pull checksums from the official release page
  • Using MD5 for security decisions: MD5 is fine for accidental corruption checks; prefer SHA-256 for anything security-sensitive
  • Ignoring GPG trust warnings without reading them: BAD signature means stop; don’t install

Frequently Asked Questions

Is verifying checksums enough for torrent downloads?

For legal content from reputable publishers (Linux ISOs, Creative Commons releases), checksum verification against official values is the right standard. For anything else, verification confirms file integrity but says nothing about legality or malware intent—executable payloads can be “correctly” hashed and still malicious.

What if gpg says “Can’t check signature: No public key”?

Import the project’s signing key using the key ID from their documentation, then re-run gpg --verify.

Can I automate verification in a script?

Yes. Most CI pipelines and install scripts use sha256sum -c in quiet mode:

bash
echo "expectedhash  filename.iso" | sha256sum -c -

Summary

  • Always verify Linux ISOs and security tools with SHA-256 at minimum; use GPG when the project provides it.
  • Checksums detect corruption; GPG signatures detect supply-chain substitution.
  • Never trust hashes from unofficial sources: pull them from the project’s own release page.
  • Repack hash files follow the same mechanics but a weaker trust model than distro GPG signing.


Share_This Twitter / X
Arjun
Written By

Arjun

Security Researcher and AI Safety specialist. Focuses on LLM red-teaming, prompt injection defense, and the intersection of cybersecurity and generative AI.

Enjoyed this article?

Support MeshWorld and help us create more technical content