Validating the MD5 Checksum of a File

When you download a large file such as a Linux distribution in the form of an ISO you should validate it to make sure that the file has downloaded properly.

In the past, there have been many ways to validate the authenticity of a file. At the crudest level, you can check the file size or you might check the date the file was created. You could also count the number of files in an ISO or other archive or if you are really keen you could check the size, date, and contents of every file within an archive.

The above suggestions range from ineffective to complete overkill. 

One method that has been used for a number of years is for the developers of software and Linux distributions to provide an ISO which they send through an encryption method called MD5. This provides a unique checksum.

The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.

This guide will show you how to use Windows and Linux to check the MD5 checksum of a Linux distribution.

Downloading a File With an MD5 Checksum

To demonstrate how to validate the checksum of a file you will need a file that already has an MD5 checksum available for it to compare against.

Most Linux distributions provide either an SHA or MD5 checksum for their ISO images. One distribution that definitely uses the MD5 checksum method of validating a file is Bodhi Linux.

You can download a live version of Bodhi Linux from http://www.bodhilinux.com/.

The linked page has three versions available:

• Standard;
• AppPack Release;
• Legacy Release.

For this guide, we will be showing the Standard Release version because it is the smallest but you can choose anyone you wish.

Next to the download link you will see a link called MD5.

This will download the MD5 checksum to your computer. 

You can open the file in notepad and the contents will be something like this:

ba411cafee2f0f702572369da0b765e2  bodhi-4.1.0-64.iso

Verify the MD5 Checksum Using Windows

To verify the MD5 checksum of the Linux ISO or indeed any other file which has an accompanying MD5 checksum follow these instructions:

1. Right-click on the Start button and choose Command Prompt (Windows 8/8.1/10).
2. If you are using Windows 7 press the Start button and search for the Command Prompt.
3. Navigate to the downloads folder by typing cd Downloads (i.e. you should be in c:\users\yourname\downloads). You could also type cd c:\users\yourname\downloads).
4. Type the following command:
   
   certutil -hashfile MD5
   
   For example to test the Bodhi ISO image run the following command replacing the Bodhi filename with the name of the file you have downloaded:
   
   certutil -hashfile bodhi-4.1.0-64.iso MD5
    
5. Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website.
6. If the values don't match then the file is not valid and you should download it again.
    

Verify the MD5 Checksum Using Linux

To verify the MD5 checksum using Linux follow these instructions:

1. Open a terminal window by pressing ALT and T at the same time.

1. Type cd ~/Downloads.
2. Enter the following command:
   
   md5sum  
   
   To test the Bodhi ISO image run the following command:
   
   md5sum bodhi-4.1.0-64.iso
    
3. Run the following command to display the MD5 value of the Bodhi MD5 file downloaded previously:
   
   cat bodhi-4.1.0-64.iso.md5
    
4. The value displayed by the md5sum command should match the md5 in the file displayed using the cat command in step 4.
5. If the values do not match there is a problem with the file and you should download it again.

Issues

The md5sum method of checking the validity of a file only works as long as the site you are downloading the software from hasn't been compromised.

In theory, it works well when there are lots of mirrors because you can always check back against the main website.

However, if the main site gets hacked and a link is provided to a new download site and the checksum is changed on the website then you are basically being hoodwinked into downloading something you probably don't want to use.

Here is an article showing how to check the md5sum of a file using Windows. This guide mentions that many other distributions now also use a GPG key to validate their files. This is more secure but the tools available on Windows for checking GPG keys are lacking. Ubuntu uses a GPG key as a means for verifying their ISO images and you can find a link showing how to do that here.

Even without a GPG key, the MD5 checksum is not the most secure method for securing files. It is now more common to use the SHA-2 algorithm.

Many Linux distributions use the SHA-2 algorithm and for validating the SHA-2 keys you need to use programs such as sha224sum, sha256sum, sha384sum, and sha512sum. They all work in much the same way as the md5sum tool.