Writing an ISO to a USB drive using dd is a bit-for-bit process. However, hardware glitches or "silent" bit rot can occur. This guide ensures your installation media is an exact, untampered match of the source.
Warning: Do not hash the entire drive device (e.g., /dev/sdb). You must limit the read to the exact size of the ISO file to ignore empty trailing space.
Phase 1: General SHA256 Verification
This method works for any Linux distribution (Ubuntu, Fedora, Debian, etc.) to ensure the write was successful.
# 1. Get the local file hash
sha256sum your-distro.iso
# 2. Read the exact byte-count from the USB and hash it
sudo head -c $(stat -c %s your-distro.iso) /dev/sdb | sha256sum
Quick Tip: Web Verification
To double-check the legitimacy of the hash itself, copy the resulting SHA256 string and search for it on Google/DuckDuckGo inside quotation marks:
"a1b2c3d4e5f6g7h8i9j0..."
If the hash appears on official mailing lists, GitHub releases, or the distro’s website, you can be confident the file is genuine.
Phase 2: Qubes OS PGP Authenticity
For Qubes OS, verifying the PGP signature is critical. This confirms the ISO was signed by the Qubes Developers and hasn't been intercepted.
# 1. Fetch the Qubes Master Signing Key
gpg --recv-keys 0x427F11FD0FAA4B080123F059DDFA1D3E36879494
# 2. Pipe USB data into GPG verification
sudo head -c $(stat -c %s Qubes-R4.3.0-x86_64.iso) /dev/sdb | gpg --verify Qubes-R4.3.0-x86_64.iso.asc -
Look for: "gpg: Good signature from 'Qubes OS Release 4 Signing Key'".
| Verification Type | Detects... | Trust Source |
|---|---|---|
| SHA256 (Hash) | Accidental Corruption | Website Checksum / Web Search |
| PGP (Signature) | Malicious Tampering | Developer Private Key |
Ensure /dev/sdb is unmounted before beginning verification.