Validating the MD5 Checksum of a File

When you download a large file such as a Linux distribution in the form of an ISO you should validate it to make sure that the file has downloaded properly.

In the past, there have been many ways to validate the authenticity of a file. At the crudest level, you can check the file size or you might check the date the file was created. You could also count the number of files in an ISO or other archive or if you are really keen you could check the size, date, and contents of every file within an archive.

The above suggestions range from ineffective to complete overkill. 

One method that has been used for a number of years is for the developers of software and Linux distributions to provide an ISO which they send through an encryption method called MD5. This provides a unique checksum.

The idea is that as a user you can download the ISO and then run a tool which creates an MD5 checksum against that file. The checksum that is returned should match the one located on the website of the software developer.

This guide will show you how to use Windows and Linux to check the MD5 checksum of a Linux distribution.

To demonstrate how to validate the checksum of a file you will need a file that already has an MD5 checksum available for it to compare against.

Most Linux distributions provide either an SHA or MD5 checksum for their ISO images. One distribution that definitely uses the MD5 checksum method of validating a file is Bodhi Linux.

You can download a live version of Bodhi Linux from http://www.bodhilinux.com/.

The linked page has three versions available:

• Standard;
• AppPack Release;
• Legacy Release.

For this guide, we will be showing the Standard Release version because it is the smallest but you can choose anyone you wish.

Next to the download link you will see a link called MD5. This will download the MD5 checksum to your computer. 

You can open the file in Notepad and the contents will be something like this:

ba411cafee2f0f702572369da0b765e2  bodhi-4.1.0-64.iso

To verify the MD5 checksum of the Linux ISO or indeed any other file which has an accompanying MD5 checksum follow these instructions:

1. Open Command Prompt.
2. Navigate to the downloads folder by typing cd Downloads.
   1. Of course, if the file you want to check is not in the Downloads folder, you'll need to type the exact folder name, like cd "folder\path\here".
3. Type certutil -hashfile followed by the file name and then MD5.
4. Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website.
5. If the values don't match then the file is not valid and you should download it again.

To verify the MD5 checksum using Linux follow these instructions:

1. Open a terminal window by pressing ALT and T at the same time.
2. Type cd ~/Downloads, or a different folder name if that's not where your file is stored.
3. Enter md5sum followed by the file name.
4. The value displayed by the md5sum command should match the md5 in the file displayed using the cat command in step 4.
5. If the values do not match there is a problem with the file and you should download it again.

The md5sum method of checking the validity of a file only works as long as the site you are downloading the software from hasn't been compromised.

In theory, it works well when there are lots of mirrors because you can always check back against the main website.

However, if the main site gets hacked and a link is provided to a new download site and the checksum is changed on the website then you are basically being hoodwinked into downloading something you probably don't want to use.

Here is an article showing how to check the md5sum of a file using Windows. This guide mentions that many other distributions now also use a GPG key to validate their files. This is more secure but the tools available on Windows for checking GPG keys are lacking. Ubuntu uses a GPG key as a means for verifying their ISO images and you can find a link showing how to do that here.

Even without a GPG key, the MD5 checksum is not the most secure method for securing files. It is now more common to use the SHA-2 algorithm.

Many Linux distributions use the SHA-2 algorithm and for validating the SHA-2 keys you need to use programs such as sha224sum, sha256sum, sha384sum, and sha512sum. They all work in much the same way as the md5sum tool.