Verifying a USB flash drive contains an authentic copy of Ubuntu
We have a set of procedures to ensure that every flash drive we ship contains a legitimate and verified copy of Ubuntu. You can find our full procedures for making a flash drive online. However we want to take this a step further and enable our customers to quickly and somewhat easily verify that a USB flash drive received also contains an authentic copy of Ubuntu. Thus, here are the directions to authenticate the contents of a flash drive already containing a copy of Ubuntu. If you follow these directions below you can be assured that the flash drive has not been tampered with in transit.
1. Open the terminal
Mint Menu > Administration > Terminal
2. Enter the commands below followed by tapping the enter key to change to the Downloads folder
cd Downloads
3. Next make a directory for ubuntu and change to the ubuntu folder
mkdir ubuntu
cd ubuntu
4. Import the signing key from https://www.ubuntu.com
You can find the signing key at https://ubuntu.com/tutorials/how-to-verify-ubuntu#4-retrieve-the-correct...
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) " imported
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported
gpg: Total number processed: 2
gpg: imported: 2
5. Download and verify signature for the Ubuntu image you have
# To find the signature files go to the URL below in your web browser, but replace /release with the version of Ubuntu you have, for example 22.04.1
https://releases.ubuntu.com/release
Example: https://releases.ubuntu.com/22.04.1
# Then find and download SHA256SUMS and SHA256SUMS.gpg, but replace links below with your signature files
wget https://releases.ubuntu.com/22.04.1/SHA256SUMS
2023-02-13 15:42:44 (74.7 MB/s) - ‘SHA256SUMS’ saved [202/202]
wget https://releases.ubuntu.com/22.04.1/SHA256SUMS.gpg
2023-02-13 15:43:03 (277 MB/s) - ‘SHA256SUMS.gpg’ saved [833/833]
# Verify the authenticity of SHA256SUMS: The output of the below command should tell you that the file signature is
# "good signature" and that it was signed with the D94AA3F0EFE21092 key. If you see a warning about not being certified
# with a trusted signature this is normal, and generally not a concern
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 11 Aug 2022 07:07:33 AM EDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
6. Make sure that the USB stick on which contains Ubuntu is unplugged and then run the command below
ls -1 /dev/sd?
Example output:
/dev/sda
Note. Notice in the above output there is an internal drive shown as we currently have no USB flash drives plugged into the system
7. Now plug in your USB flash drive and run the command again:
ls -1 /dev/sd?
Example output:
/dev/sda
/dev/sdb
8. Since we identified /dev/sda is an internal drive the USB flash drive must be /dev/sdb, but you can verify this based on the size of the drive printed roughly matches that of the output from the below command
sudo fdisk -l /dev/sdb
Example output:
[sudo] password for think:
Disk /dev/sdb: 59.75 GiB, 64160400896 bytes, 125313283 sectors
Disk model: Flash Drive
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
/dev/sdb1 128 125313250 125313123 59.8G 7 HPFS/NTFS/exFAT
Notice that the /dev/sdb drive is 59.75GB which is approximately what the USB flash drive has printed on it (64GB). Thus this is the right drive assuming we don't have multiple drives in the system of a similar size.
9. We need to identify the size of the Ubuntu image. Open a browser and go to https://www.ubuntu.com, click the Download tab, then click the version of Ubuntu you have, and click cancel when you see a browse dialog box as we don't want to actually download the Ubuntu image. Instead right click on the download now link and select Copy Link. Replace the URL below with your link.
curl -s -L -I https://releases.ubuntu.com/22.04.1/ubuntu-22.04.1-desktop-amd64.iso | grep 'content-length\|Content-Length'
Example output:
Content-Length: 3826831360
10. We are going to verify the written data matches the signature from the Ubuntu developers using the following command, but replacing the number 3826831360 with the output you got from step 9 and /dev/sdb with your flash drive from step 8
sudo head -c 3826831360 /dev/sdb | sha256sum
c396e956a9f52c418397867d1ea5c0cf1a99a49dcf648b086d2fb762330cc88d -
11. Use the cat command to show the contents of the SHA256SUM file and compare the line with ubuntu-22.04.1-desktop-amd64.iso matches the output of the prior command above
cat SHA256SUMS
c396e956a9f52c418397867d1ea5c0cf1a99a49dcf648b086d2fb762330cc88d *ubuntu-22.04.1-desktop-amd64.iso
10f19c5b2b8d6db711582e0e27f5116296c34fe4b313ba45f9b201a5007056cb *ubuntu-22.04.1-live-server-amd64.iso
Notice that the sudo head -c commands output was c396e956a9f52c418397867d1ea5c0cf1a99a49dcf648b086d2fb762330cc88d and the SHA256SUMS file shows ubuntu-22.04.1-desktop-amd64.iso to be the same hash or fingerprint. This means the copy of Ubuntu you have is authentic and what Canonical (the developers behind Ubuntu) intended you to get, and your flash drive is not compromised