Verify the integrity of an ISO or burned CD

One very common process in the GNU/Linux world is downloading the CD image, or ISO, of a GNU/Linux distribution from the web and burning it to a CD.  One step too many people skip, unfortunately, is making sure that ISO actually downloaded as it should and that the CD actually burned correctly.  I can tell you from personal experience that this may lead to mysterious corruption, crashing, and glitchiness later – since you might manage to get through a full install but with major issues behind the scenes that rear their ugly heads later.  In my early GNU/Linux days I got “burned” this way, so to speak, several times.  Learning how to check the integrity of the ISO and CD in question, and doing it religiously every time I burn, has saved me from wasting countless hours troubleshooting a problem that wouldn’t have appeared had I been using a good copy of the install CD.  And it’s a shame that a GNU/Linux distro can get a bad rap for being glitchy when the real problem was corruption during the ISO download, a buffer under-run during the burn, a dirty or defective CD, etc.  When installing something so major as an entire operating system, and the large collection of applications that usually come with it, taking a few minutes to make sure everything’s correct is worth it.

Now, while the “Media Check” option provided with some GNU/Linux distro CD’s (for the same purpose of checking CD integrity)  is a good idea, it is possible for a CD to pass the media check but still fail other integrity checks.  I’ve had that happen a few times too, so I always use this other method to double-check it.  It’s an excellent and in-depth check, so if it passes you can almost always rest assured your copy is good.  By the way, this also works for DVD’s, in case you’re wondering.

I try a lot of different GNU/Linux distributions, and new versions are constantly being released. I don’t want to keep filling the landfills with CD-R’s or DVD-R’s every time I try something new. So I avoid using single-use discs, and instead opt for liveUSB’s (tutorial) or making live partitions (tutorial) as virtual “CD’s” when possible. Lacking that, I use rewritable media (CD-RW’s or DVD-RW’s). Given how increasingly hard it is to find CD-RW’s any more, you may find it helpful to know that you can also burn a CD ISO onto a DVD-RW. That’s another tutorial for another day, but once you’ve done it you can use this very same integrity check on the DVD-RW, just as if it was a CD.

That said, for purposes of this tutorial, I’ll refer to CD-R’s, DVD-R’s, CD-RW’s, and DVD-RW’s all as CD’s.

First, you may have noticed when downloading your ISO from a given distribution’s website that there is a reference to md5sum, or better yet, sha1sum.  These are essentially just big long hexadecimal numbers (0-9 and A-F), and when you run md5sum or sha1sum on the ISO, these tell you what the number should be if the file is good.  Some distributions just post the md5sum or sha1sum number on a page on their website, and others provide it as a file with a name like MD5SUMS, SHA1SUM, or distribution_name.md5sum, which contains the number and the name of the file it goes with.  Depending on their website layout you may have to poke around a bit.

Example 1:
Here’s a screenshot of Ubuntu’s website.  After you download the ISO it brings you to this page with a link (which I’ve highlighted) to their md5sums and a good md5sum how-to for GNU/Linux, Mac, and Windows, and a link to their md5sums page, shown below:

Ubuntu md5sum link

Ubuntu md5sum link

Ubuntu md5sums

Ubuntu md5sums

They’ve given you the md5sum in a web page, so you’ll be eyeballing your md5sum result and the number they’ve given you for the version of Ubuntu you downloaded.  Open a terminal window and change directory to the location of your ISO.  Let’s say that I’ve downloaded ubuntu-8.10-desktop-i386.iso to my Desktop.

g33kgrrl@home ~ $ cd Desktop
g33kgrrl@home ~/Desktop$
md5sum ubuntu-8.10-desktop-i386.iso

Now it will sit and crunch numbers for a few minutes.  It may look like nothing’s going on, but this is a great time to go grab a cup of coffee or whatever.  When it is done it will spit out a number and the filename you checked.  (This is all on one line.)

24ea1163ea6c9f5dae77de8c49ee7c03  ubuntu-8.10-desktop-i386.iso
g33kgrrl@home ~/Desktop$

Now compare this number with the one on the website. Sure enough, it matches the line for ubuntu-8.10-desktop-i386.iso at the bottom of the screenshot – all is well.

Example 2:
Here’s a screenshot of a Debian download mirror.  They’ve given you actual MD5SUMS and SHA1SUMS files (highlighted) in the same folder where you can download the ISO’s.  (Advanced users – don’t worry, I use Jigdo.)

sha1sum and md5sum files

sha1sum and md5sum files

If you just click these files, they’ll most likely open in your browser as a list much like the Ubuntu web page above.  They’re actually just plain text files containing a list of ISO filenames and the hexadecimal numbers that go with them.  But downloading the files is nicer because you don’t have to eyeball that long number yourself.  Instead, find the sha1sum or md5sum file (in this case, SHA1SUMS or MD5SUMS respectively – but it could also be something.sha1sum or something.md5sum), right click and save it (in Firefox this is Save Link As).  The sha1sum check is more thorough, so I’ll pick the SHA1SUMS file here.  It’s easiest if you save this file in the same folder as the ISO.  Let’s say I’ve downloaded debian-500-i386-kde-CD-1.iso (it’s not in the screenshot above, but it’s further down on the same web page) and saved it to my Desktop, so  I’ll save SHA1SUMS there too.  Now make sure you’re in the directory where you downloaded them, and point sha1sum with the -c option to the sha1sum file you just downloaded.  The process is exactly the same for md5sum; use it with the -c option and point it to the md5sum file in the format ‘md5sum -c md5sum-file-name‘ .

g33kgrrl@home ~ $ cd Desktop
g33kgrrl@home ~/Desktop$
sha1sum -c SHA1SUMS

(In the unlikely event that you get an error like bash: sha1sum: command not found, or bash: md5sum: command not found, you’ll need to go to your package manager and install the package for it.  In Debian Lenny 5.0 it’s called coreutils and comes preinstalled.)

Now what I see here will depend on how many other files are listed in SHA1SUMS besides the one I downloaded.  If it’s the only file in there, the system will crunch numbers and may look like it’s doing nothing.  If there are others, I will get failure notifications because the other ISO’s it’s looking for aren’t there.  In this case there are lots of other files so I see lots of output.  Either way, it will take a few minutes and give you a result.  Here’s a partial list of my output, showing that the sha1sum for debian-500-i386-kde-CD-1.iso is OK (which I’ve highlighted):

sha1sum: debian-500-i386-CD-8.iso: No such file or directory
debian-500-i386-CD-8.iso: FAILED open or read
sha1sum: debian-500-i386-CD-9.iso: No such file or directory
debian-500-i386-CD-9.iso: FAILED open or read
sha1sum: debian-500-i386-businesscard.iso: No such file or directory
debian-500-i386-businesscard.iso: FAILED open or read
debian-500-i386-kde-CD-1.iso: OK
sha1sum: debian-500-i386-netinst.iso: No such file or directory
debian-500-i386-netinst.iso: FAILED open or read
sha1sum: debian-500-i386-xfce+lxde-CD-1.iso: No such file or directory
debian-500-i386-xfce+lxde-CD-1.iso: FAILED open or read
sha1sum: WARNING: 34 of 35 listed files could not be read
g33kgrrl@home ~/Desktop$

Ready to burn! But how to check that CD or DVD once it’s burned?

K3b, which is a really great burning utility, has its own md5sum option right in the burn CD image dialogue.

First I select the “burn CD image” from the main options:

K3b burn cd image

K3b burn cd image

I point it to the ISO image (in this case, I had already moved it to my USB key, but normally the path would be /home/g33kgrrl/Desktop/debian-500-i386-kde-CD-1.iso).  K3b takes a minute or so to calculate the md5sum for the ISO.  Then I select the “Verify written data” option:

K3b verify written data

K3b verify written data

Click Start.  The CD will burn, and K3b will check its md5sum of the CD to make sure it matches the md5sum of the ISO.  Pretty nifty.

But what if you’re using something else that doesn’t have this feature?  Or you’ve already burned the CD and now you’d like to go back and check it?  As long as you have the sha1sum or md5sum it’s simple.

First, you need to insert the CD and let the system open it (in other words, mount the CD).  Now you can use the df command to see what system device your CD drive is being designated as.

g33kgrrl@home ~/Desktop$ df -h
Filesystem     Size  Used  Avail  Use%   Mounted on
/dev/sda1      9.2G  3.2G   6.1G   35%   /
tmpfs          502M     0   502M    0%   /lib/init/rw
udev            10M   92K    10M    1%   /dev
tmpfs          502M     0   502M    0%   /dev/shm
/dev/sda3       59G   18G    42G   30%   /home
/dev/hda       648M  648M      0  100%   /media/cdrom0
g33kgrrl@home ~/Desktop$

Here I can see that my DVD-RW drive is /dev/hda. Yours may be the same, or it might be something like /dev/sr0 (that’s a zero) so adjust the command below as needed.  I can use sha1sum or md5sum and point it to my device name to get the number I need.  Again, this will take a few minutes to complete.

g33kgrrl@home ~/Desktop$ sha1sum /dev/hda
89164d79d84f483c3642f25507186e58bf5fc0d8 /dev/hda
g33kgrrl@home ~/Desktop$

Now I open the SHA1SUM file I downloaded (it’s just plain text, so you can use any text editor) and compare it with the corresponding line for the ISO (or in Ubuntu’s case, with the md5sum posted on their website):

89164d79d84f483c3642f25507186e58bf5fc0d8 debian-500-i386-kde-CD-1.iso

It’s a match. Time to install!


8 thoughts on “Verify the integrity of an ISO or burned CD

  1. Pingback: PCLinuxOS 2009 is out! Here’s how to get it. « g33kgrrl’s garage

  2. Pingback: Install GNU/Linux without a CD « g33kgrrl’s garage

  3. Pingback: Install GNU/Linux without a CD – part 1 « g33kgrrl’s garage

  4. Pingback: Install GNU + Linux without a CD – using your internal hard drive « g33kgrrl’s garage

  5. Pingback: Use a simple download manager – wget « g33kgrrl's garage

  6. Thanks for the great tutorial. I am hoping that running md5sum on the cdrom device will help identify my problems. I wouldn’t have thought to do that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s