![How to compute sha1sum linux iso file](https://kumkoniak.com/74.jpg)
You’re still much more secure than the people who don’t bother. Still, if you’re attempting to verify the PGP signature on a checksum file and then validating your download with that checksum, that’s all you can reasonably do as an end-user downloading a Linux ISO. But if the public key is stored on the same server as the ISO and checksum, as is the case with some distros, then it doesn’t offer as much security. However, if the public key is hosted on a different server–as is the case with Linux Mint–this becomes far less likely (since they’d have to hack two servers instead of just one). The attacker could still replace that public key with their own, they could still trick you into thinking the ISO is legit. Using PGP is much more secure, but not foolproof. After all, if the attacker can replace the ISO file for download they can also replace the checksum. You’ll only need to perform steps 1, 2, and 5, but the process is much more vulnerable. Similarly, some distros don’t sign their checksums with PGP.
![how to compute sha1sum linux iso file how to compute sha1sum linux iso file](https://linuxhint.com/wp-content/uploads/2019/01/16-18-1024x321.png)
Some Linux distros may also provide SHA-1 sums, although these are even less common. We’ll primarily discuss SHA-256 sums here, although a similar process will work for MD5 sums. However, SHA-256 sums are now more frequently used by modern Linux distributions, as SHA-256 is more resistant to theoretical attacks. For example, there are several different types of checksums. Traditionally, MD5 sums have been the most popular. The process may differ a bit for different ISOs, but it usually follows that general pattern. This confirms the ISO file hasn’t been tampered with or corrupted. You’ll generate the checksum of your downloaded ISO file, and verify it matches the checksum TXT file you downloaded.This confirms the checksum itself hasn’t been tampered with. You’ll use the PGP key to verify that the checksum’s digital signature was created by the same person who made the key–in this case, the maintainers of that Linux distribution.You may get this from the Linux distribution’s website or a separate key server managed by the same people, depending on your Linux distribution. You’ll get a public PGP key belonging to the Linux distribution.These may be two separate TXT files, or you may get a single TXT file containing both pieces of data. You’ll download a checksum and its digital signature from the Linux distribution’s website.You’ll download the Linux ISO file from the Linux distribution’s website–or somewhere else–as usual.The process of checking an ISO is a bit complex, so before we get into the exact steps, let’s explain exactly what the process entails:
![How to compute sha1sum linux iso file](https://kumkoniak.com/74.jpg)