How To Validate The MD5 Checksum Of A File

Check MD5 Keys
How To Use md5sum.


When you download a large file such as a Linux distribution in the form of an ISO you should validate it to make sure that the file has downloaded properly.

In the past there have been many ways to validate the authenticity of a file. At the crudest level you can check the file size or you might check the date the file was created. You could also count the number of files in an ISO or other archive or if you are really keen you could check the size, date and contents of every file within an archive.


The above suggestions range from ineffective to completely overkill. 

On method that has been used for a number of years is for the developers of software and Linux distributions to provide an ISO which they send through an encryption method called MD5. This provides a unique checksum.

The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.

This guide will show you how to use Linux to check the MD5 checksum of a Linux distribution.

How To Check The MD5 Checksum Of An ISO

One distribution that uses the MD5 checksum method of validating a file is Linux Mint.

You can download Linux Mint from 

The linked page has a list of various different desktops and editions for Linux Mint. You can choose from Cinnamon, MATE, KDE and XFCE and whether you want 32 bit or 64 bit and also whether you want the full distribution or just the free elements or even a version specifically for vendors.

For this guide I will be showing the Cinnamon 64 bit version but you can choose anyone you wish.

You can either click on the 64-bit link next to the Cinnamon option or you can click here to go straight to the Linux Mint Cinnamon download page.

In the top grid you will notice that there is a field called MD5 with a string of text next to it which looks like this:


Further down the page you will find a list of mirrors from which you can download Linux Mint.

Click on the mirror closest to you and the file will download.

After the file has downloaded open a terminal window and navigate to the downloads folder using the following command:

cd Downloads

Now enter the following command into the terminal:

md5sum linuxmint-17.3-cinnamon-64bit.iso

The result from the command will be something like this:

e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso

At this point you should match the number within the terminal against the md5sum on the website.

If all has gone well then you have a valid ISO and you can go ahead and use the ISO.


The md5sum method of checking the validity of a file only works as long as the site you are downloading the software from hasn't been compromised.

In theory it works well when there are lots of mirrors because you can always check back against the main website.

However if the main site gets hacked and a link is provided to a new download site and the checksum is changed on the website then you are basically being hoodwinked into downloading something you probably don't want to use.

I wrote an article a little while ago showing how to check the md5sum of a file using Windows. In that guide I mentioned that many other distributions now also use a GPG key to validate their files. 

This is more secure but the tools available on Windows for checking GPG keys is lacking. 

Ubuntu uses a GPG key as a means for verifying their ISO images and you can find a link showing how to do that here.

Even without a GPG key the MD5 checksum is not the most secure method for securing files. It is now more common to use the SHA-2 algorithm.

Many Linux distributions use the SHA-2 algorithm and for validating the SHA-2 keys you need to use programs such as sha224sum, sha256sum, sha384sum and sha512sum. They all work in much the same way as the md5sum tool.