Validating the MD5 Checksum of a File

When you download a large file such as a Linux distribution in the form of an ISO, you should validate it to make sure that the file downloaded properly—free of errors or unauthorized modifications.

Developers of large files like ISOs run those completed images through a program to generate an MD5 encrypted file. This method provides a unique checksum, which is a fingerprint of the file.

You download the ISO and then run a tool that creates an MD5 checksum against that file. The checksum that comes back should match the one on the website of the software developer.

Downloading a File With an MD5 Checksum

To demonstrate how to validate the checksum of a file, you'll need a file that already has an MD5 checksum available for it to compare against.

Most Linux distributions provide either an SHA or MD5 checksum for their ISO images. One distribution that uses the MD5 checksum method of validating a file is Bodhi Linux.

Download a live version of Bodhi Linux from the Bodhi Linux site.

Bodhi Linux offers three versions:

Standard
AppPack Release
Legacy Release

Download two files: The Bodhi Linux ISO, available at the download link, and the MD5 file. You'll compare the checksum you see in the MD5 file with the checksum you'll get in a shell session.

Download the ISO itself by clicking on the Download link just under the Standard Release section.
Click MD5 to download the MD5 checksum file to your computer.
Open the MD5 file in a text editor. The contents look something like this:
```
ba411cafee2f0f702572369da0b765e2  bodhi-4.1.0-64.iso
```

Verify the MD5 Checksum Using Windows

To verify the MD5 checksum:

Open Command Prompt.
Open your downloads folder by typing cd Downloads. If you saved the files in a different location, go there instead.
Type certutil -hashfile followed by the file name and then MD5.
Check that the value returned matches the value the MD5 file you downloaded from the Bodhi website (and opened in Notepad).
If the values don't match then the file is not valid and you should download it again.

Verify the MD5 Checksum Using Linux

To verify the MD5 checksum using Linux follow these instructions:

Open a shell session then visit the directory where you downloaded the files.
Enter md5sum followed by the file name.
The value displayed by the md5sum command should match the the value in the MD5 file.

Considerations

The md5sum method of checking the validity of a file only works as long as the site you're downloading the software from is secure. It works well when lots of mirrors are available because you can always check back against the main website.

However, if someone hacks the main site and the intruders change the checksum on the website, then you are probably downloading something you don't want to use.

If the file's checksum doesn't match the value in the supplementary download file, you know that the file was corrupted in some way. Try re-downloading it. If several attempts fail, notify the owner of the file or the administrator of the site that serves it.