How to Verify the Integrity of Downloaded Files

The Real Threat of Tampered Downloads

Tampered downloads are not a theoretical threat. In 2016, the Linux Mint website was hacked — attackers modified download links, causing thousands of users to download ISO images with backdoors. In 2017, the popular CCleaner software had malicious code injected in the supply chain, affecting millions of users. In 2020, SolarWinds software updates were implanted with the Sunburst backdoor, affecting thousands of organizations including the US government. These cases show that even downloading from "official" channels carries risk.

First Layer of Defense: Hash Verification

Hash verification is the foundation of file integrity verification. Steps: download the file from the official website, find the official hash values (usually near the download page or in a separate checksum file), calculate the hash of your downloaded file, and compare with the official values.

# Linux/macOS: SHA256 verification
sha256sum -c SHA256SUMS
# Or manually:
sha256sum ubuntu-24.04-desktop-amd64.iso
# Compare with: a0d2dfd574d2dec14571bce...

# Windows PowerShell:
(Get-FileHash ubuntu-24.04.iso -Algorithm SHA256).Hash -eq "a0d2dfd574d2dec..."
# Returns True if match

Second Layer of Defense: GPG Signature Verification

Hash verification's limitation is that if the official site is hacked, both the hash values and the file may be replaced simultaneously. GPG digital signatures provide stronger assurance: software publishers sign checksum files with their private key, and anyone can verify the signature's authenticity with the public key. Even if hackers replace both files and hashes on the official site, they cannot forge a correct GPG signature (since the private key is retained by the publisher).

# Example: Verifying Ubuntu ISO with GPG

# Step 1: Import Ubuntu's signing key (do this once)
gpg --keyserver hkps://keyserver.ubuntu.com \
    --recv-keys "843938DF228D22F7B3742BC0D94AA3F0EFE21092"

# Step 2: Download ISO and signature files
# ubuntu-24.04-desktop-amd64.iso
# SHA256SUMS (checksum file)
# SHA256SUMS.gpg (signature file)

# Step 3: Verify the signature on SHA256SUMS
gpg --verify SHA256SUMS.gpg SHA256SUMS
# Good signature from "Ubuntu CD Image Automatic Signing Key"

# Step 4: Verify the ISO matches SHA256SUMS
sha256sum -c SHA256SUMS --ignore-missing
# ubuntu-24.04-desktop-amd64.iso: OK

Verifying Docker Image Integrity

# Pull with specific digest (content-addressable)
docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

# Verify after pull
docker inspect ubuntu --format=''

# Docker Content Trust (automatically verifies signatures)
export DOCKER_CONTENT_TRUST=1
docker pull myorg/myimage:v1.0
# Will fail if no valid Notary signature

Verifying npm Package Integrity

npm uses SHA512 checksums to verify every package's integrity. The integrity field in package-lock.json stores the SHA512 hash of each package (in Base64 format prefixed with sha512-). npm install automatically verifies this.

// package-lock.json integrity field example
{
  "name": "some-package",
  "version": "1.0.0",
  "integrity": "sha512-ABC123...==",
  // npm verifies this hash on every install
}

// Manual verification
npm ci  # Uses lock file, strictly verifies integrity
npm install --ignore-scripts  # Skip post-install scripts too

Browser Subresource Integrity (SRI)

When using external CDN resources in web pages, SRI (Subresource Integrity) allows declaring resource hashes in HTML. The browser verifies the hash on load — if the CDN is tampered with, the browser refuses to load:

<!-- SRI: Browser verifies the hash before executing -->

Building a Verification Habit

Verifying file integrity should not be occasional — it should be habitual: always verify SHA256 when downloading OS ISOs; verify GPG signatures when downloading from non-official mirrors; hash-lock all external dependencies in CI/CD; for production systems, incorporate hash verification into deployment processes. These habits effectively reduce the risk of supply chain attacks.