Validating the MD5 Checksum of a File

MD5 Checksum
MD5 Checksum.
by Gary Newell
An application developer and software tester with more than 20 years in the IT industry working on Windows, UNIX and Linux.
Updated June 24, 2019

When you download a large file such as a Linux distribution in the form of an ISO you should validate it to make sure that the file has downloaded properly.

In the past, there have been many ways to validate the authenticity of a file. At the crudest level, you can check the file size or you might check the date the file was created. You could also count the number of files in an ISO or other archive or if you are really keen you could check the size, date, and contents of every file within an archive.

The above suggestions range from ineffective to complete overkill. 

One method that has been used for a number of years is for the developers of software and Linux distributions to provide an ISO which they send through an encryption method called MD5. This provides a unique checksum.

The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.

This guide will show you how to use Windows and Linux to check the MD5 checksum of a Linux distribution.

Downloading a File With an MD5 Checksum

To demonstrate how to validate the checksum of a file you will need a file that already has an MD5 checksum available for it to compare against.

Most Linux distributions provide either an SHA or MD5 checksum for their ISO images. One distribution that definitely uses the MD5 checksum method of validating a file is Bodhi Linux.

You can download a live version of Bodhi Linux from http://www.bodhilinux.com/.

The linked page has three versions available:

  • Standard;
  • AppPack Release;
  • Legacy Release.

For this guide, we will be showing the Standard Release version because it is the smallest but you can choose anyone you wish.

You'll want to download TWO files: The actual Bodhi Linux ISO, available at the Download link, and the MD5 File, which you'll want to open in Notepad, as below. You'll compare the checksum you see in the MD5 file with the checksum you'll get from the Command Prompt (below).

  1. First, download the ISO itself by clicking on the Download link just under the Standard Release section.

    Screenshot of Download link for Standard Release of Bodhi Linux

  2. Next to the download link you will see a link called MD5. Click it to download the MD5 checksum file to your computer. 

    Screenshot of MD5 download link for Standard Release of Bodhi Linux

  3. Next, open the file in Notepad. The contents will be something like this:

    ba411cafee2f0f702572369da0b765e2  bodhi-4.1.0-64.iso

  4. Save that aside and continue to verify below.

Verify the MD5 Checksum Using Windows

To verify the MD5 checksum of the Linux ISO or indeed any other file which has an accompanying MD5 checksum follow these instructions:

  1. Screenshot of Windows 10 Command Prompt launch icon

  2. Navigate to the downloads folder by typing cd Downloads.

    Screenshot of Downloads directory in Windows 10 Command Prompt

    Of course, if the file you want to check is not in the Downloads folder, you'll need to type the exact folder name, like cd "folder\path\here".

  3. Type certutil -hashfile followed by the file name and then MD5.

    Screenshot of

  4. Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website (and opened in Notepad).

    Screenshot comparing hashtag in Command Prompt window with hashtag in Notepad

  5. If the values don't match then the file is not valid and you should download it again.

Verify the MD5 Checksum Using Linux

To verify the MD5 checksum using Linux follow these instructions:

  1. Open a terminal window by pressing ALT and T at the same time.

  2. Type cd ~/Downloads, or a different folder name if that's not where your file is stored.

  3. Enter md5sum followed by the file name.

    Terminal with commands to check md5 in Linux

  4. The value displayed by the md5sum command should match the md5 in the file displayed using the cat command in step 4.

  5. If the values do not match there is a problem with the file and you should download it again.

Issues

The md5sum method of checking the validity of a file only works as long as the site you are downloading the software from hasn't been compromised.

In theory, it works well when there are lots of mirrors because you can always check back against the main website.

However, if the main site gets hacked and a link is provided to a new download site and the checksum is changed on the website then you are basically being hoodwinked into downloading something you probably don't want to use.

Here is an article showing how to check the md5sum of a file using Windows. This guide mentions that many other distributions now also use a GPG key to validate their files. This is more secure but the tools available on Windows for checking GPG keys are lacking. Ubuntu uses a GPG key as a means for verifying their ISO images and you can find a link showing how to do that here.

Even without a GPG key, the MD5 checksum is not the most secure method for securing files. It is now more common to use the SHA-2 algorithm.

Many Linux distributions use the SHA-2 algorithm and for validating the SHA-2 keys you need to use programs such as sha224sum, sha256sum, sha384sum, and sha512sum. They all work in much the same way as the md5sum tool.