Wiki: Verifying SDesk Disk Images

3-5 Minute Read

Verifying SDesk Disk Images

A Standard way to verify the integrity and authenticity of your download.

WHy Verify?

Most of the time when you download a small package or program, there is no way to verify if that download was corrupted or even tampered with. Although this is not recommended for software developers and distributors, the consequences of downloading a faulty program for an operating system are less severe than downloading a faulty actual operating system, as this could cause serious damage to your computer at the low level more easily.

Verifying with GNUPg on GNU/Linux Systems

If you are using a GNU/Linux Distribution (Arch and derivatives, Debian (With the “Linux” Kernel instead of the “Hurd” Kernel) and derivatives, Ubuntu and derivatives, Gentoo Derivatives, and most others), then you should install GnuPG with your package manager (sometimes called “gpg”) and follow the steps below:

  • Go to the SDesk Github Repository and navigate to the latest release.
  • Right click on “sha256sum.txt” and click on “Save Link As…”. Do the same for “sha256sum.txt.sig” (Simply downloading the checksum files normally will only copy the contents, which will mess up GnuPG).
  • Run sha256sum -b [disk-image-filename-here-with-no-brackets].iso in a terminal and copy the entire output.
  • Compare the text you just copied with the text present in the “sha256sum.txt” file you previously downloaded.
  • If it matches, continue to the next step. If it does not, you must download the disk image file again and repeat all of these steps.
  • The “sha256sum.txt” file still could have been intercepted and modified. To make sure that this is not the case, run the following command to import my signing key: gpg –keyserver hkp://keyserver.ubuntu.com:80 –recv-key “B341 D5E0 9EDD 3AD5 8FD2 6A9C 8AF5 E5D3 F86E 790E”
  • Run gpg –verify sha256sum.txt.sig sha256sum.txt in a terminal, the output should say that the file signature is good. If this is not the case, download the “sha256sum.txt” file, the“sha256sum.txt.sig” file, and the diskimage file again. Then repeat all of the necessary steps.

Verifying on Windows

If you are using windows, you can follow this extremely detailed Post on the Linux Mint forums. Just make sure to substitute all occurrences of Linux Mint specific signing key fingerprints with my signing key’s fingerprint (B341 D5E0 9EDD 3AD5 8FD2 6A9C 8AF5 E5D3 F86E 790E) if you are trying to verify an SDesk Disk Image.

Written by: Stephen Byrne