Download ISOs only from official project sites or trusted mirrors. A bad checksum means the file is corrupted or tampered with — do not flash it to USB.
What you will achieve
Confirm your Linux installer ISO matches the publisher's checksum before you write it to a USB stick. This catches corrupted downloads, incomplete transfers, and mirror substitution — the step most people skip and regret.
1) Download the checksum file from the official site
Ubuntu publishes SHA256 sums on the release page. Debian provides SHA256SUMS and SHA256SUMS.sign for GPG verification. Always grab these from the same domain as the ISO, not a random forum link.
wget https://releases.ubuntu.com/24.04.2/SHA256SUMS
wget https://releases.ubuntu.com/24.04.2/ubuntu-24.04.2-desktop-amd64.iso2) Verify with sha256sum
Run the checksum locally and compare against the published value. On Ubuntu and Debian, sha256sum is pre-installed.
sha256sum ubuntu-24.04.2-desktop-amd64.iso
grep ubuntu-24.04.2-desktop-amd64.iso SHA256SUMS | sha256sum -c -The second command checks automatically: OK means match, FAILED means re-download.
3) Verify GPG signatures (Debian and some distros)
Checksum files alone prove integrity against the published sum, not that the sum itself is authentic. Debian signs its sums:
wget -qO- https://ftp-master.debian.org/keys/archive-key-12.asc | gpg --import
gpg --verify SHA256SUMS.sign SHA256SUMS
grep debian-12.9.0-amd64-netinst.iso SHA256SUMS | sha256sum -c -GPG should report a good signature from the Debian archive key before you trust the sums.
4) Why mirrors matter
University and CDN mirrors are usually fine, but a compromised or stale mirror can serve an old or altered ISO. If a checksum fails on one mirror, try the official torrent or primary release URL before assuming your download tool is broken.
5) After verification
Only after a successful check should you flash the ISO with dd, Ventoy, balenaEtcher, or GNOME Disks. Store the checksum output in your install notes — useful when troubleshooting boot failures later.
6) Torrent downloads
Official torrents include embedded piece hashes — your client verifies each chunk during download. Still run sha256sum on the completed file when paranoia is cheap insurance. On slow links, torrents often beat single-connection HTTP mirrors.
Prerequisites
Complete ISO download, checksum file from the same release directory, and sha256sum or gpg installed. For GPG verification, import the project signing key once and trust it via the web of trust or fingerprint comparison on the official site.
Verify
sha256sum ubuntu-24.04.2-desktop-amd64.iso
grep ubuntu-24.04.2-desktop-amd64.iso SHA256SUMSBoth lines must show identical 64-character hex strings. Any mismatch: delete the ISO and download again.