How to verify a USB flash drive contains an authentic copy of Fedora

How to verify a USB flash drive contains an authentic copy of Fedora

# First, open a terminal and import Fedora's GPG key(s) by running the following command

curl -O https://getfedora.org/static/fedora.gpg

# Next download the Fedora x86_64 (iso) CHECKSUM or whichever version you have purchased

wget https://getfedora.org/static/checksums/37/iso/Fedora-Workstation-37-1.7-...

# Now, verify that the CHECKSUM file is valid

gpgv --keyring ./fedora.gpg *-CHECKSUM

gpgv: Signature made Thu 10 Nov 2022 02:56:12 PM EST
gpgv: using RSA key ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
gpgv: Good signature from "Fedora (37) "

Note: The important bit to look for is that it says it's got a good signature from the Fedora developers

# Identify the flash drive by running fdisk and taking a look and the lines that say Disk /dev/xxx and the size
# Take note in the example below we have one disk /dev/sda that is 59GiB or an advertised capacity of 64GB

sudo fdisk -l

Disk /dev/sda: 59.75 GiB, 64160400896 bytes, 125313283 sectors
Disk model: Flash Drive
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device Boot Start End Sectors Size Id Type
/dev/sda1 128 125313250 125313123 59.8G 7 HPFS/NTFS/exFAT

# Identify the size of the ISO image using the curl command and a download link of the fedora image
# You can get a link by going to https://www.getfedora.org/ and clicking Download Now under Fedora Workstation
# Then under For x86_64: right click the Download button and select Copy Link, then replace the link below with yours

curl -s -L -I https://download.fedoraproject.org/pub/fedora/linux/releases/37/Workstat... | grep 'content-length\|Content-Length'

content-length: 2037372928

# Along with the above number output use the head command to check the portion of the disk we've written
# Replace /dev/sda with your drives location

sudo head -c 2037372928 /dev/sda | sha256sum

9c69005baafdba6e4ff04c1cf4779121b7fc9aacab80b4633394576da336a515 -

# Make sure the output above matches what is in the Fedora-Workstation-x-x.x-x86_64-CHECKSUM file we downloaded earlier

cat *-CHECKSUM | grep SHA256

SHA256 (Fedora-Workstation-Live-x86_64-37-1.7.iso) = 9c69005baafdba6e4ff04c1cf4779121b7fc9aacab80b4633394576da336a515

# In this case the above matches so we can conclude that the ISO image is fully and properly written to disk and has not been tampered with while in transport by a malicious adversary