Writing an ISO to a USB drive using dd is a bit-for-bit process. However, hardware glitches or "silent" bit rot can occur. This guide ensures your installation media is an exact, untampered match of the source.
Warning: Do not hash the entire drive device (e.g., /dev/sdb). You must limit the read to the exact size of the ISO file to ignore empty trailing space.
Phase 1: General SHA256 Verification
This method works for any Linux distribution (Ubuntu, Fedora, Debian, etc.) to ensure the write was successful.
# 1. Get the local file hash
sha256sum your-distro.iso
# 2. Read the exact byte-count from the USB and hash it
sudo head -c $(stat -c %s your-distro.iso) /dev/sdb | sha256sum
Quick Tip: Web Verification
To double-check the legitimacy of the hash itself, copy the resulting SHA256 string and search for it on Google/DuckDuckGo inside quotation marks:
"3a4c9877b483ab46d7c3fbe165a0db275e1ae3cfe56a5657e5a47c2f99a99d1e"
If the hash appears on official mailing lists, GitHub releases, or the distro’s website, you can be confident the file is genuine.
Phase 2: Qubes OS PGP Authenticity
For Qubes OS, verifying the PGP signature is critical. This confirms the ISO was signed by the Qubes Developers and hasn't been intercepted.
# 1. Fetch the Qubes Master Signing Key
gpg --recv-keys 0x427F11FD0FAA4B080123F059DDFA1D3E36879494
# 2. Pipe USB data into GPG verification
sudo head -c $(stat -c %s Qubes-R4.3.0-x86_64.iso) /dev/sdb | gpg --verify Qubes-R4.3.0-x86_64.iso.asc -
Look for: "gpg: Good signature from 'Qubes OS Release 4 Signing Key'".
Compare your hashes to mine
| Image / ISO Name | SHA256 Checksum |
|---|---|
| Ubuntu 24.04.4 Desktop | 3a4c9877b483ab46d7c3fbe165a0db275e1ae3cfe56a5657e5a47c2f99a99d1e |
| Ubuntu 24.04.3 Desktop | faabcf33ae53976d2b8207a001ff32f4e5daae013505ac7188c9ea63988f8328 |
| Ubuntu 24.04.3 Live Server | c3514bf0056180d09376462a7a1b4f213c1d6e8ea67fae5c25099c6fd3d8274b |
| Qubes OS R4.3.0 | 29b3e8f26f709c9b8a76ecc0f787feddf34383fece74f2d068908cba7a7e9998 |
| Tails 7.5 (IMG) | c805de0c57b7b8bdec67d41e3432aca5a12ebae44a51cc320a7dc602a83005d0 |
| Windows 11 25H2 | d141f6030fed50f75e2b03e1eb2e53646c4b21e5386047cb860af5223f102a32 |
Raw Terminal Audit Log:
# pc@ubuntu:~/os/
faabcf33ae53976d2b8207a001ff32f4e5daae013505ac7188c9ea63988f8328 ubuntu-24.04.3-desktop-amd64.iso
c3514bf0056180d09376462a7a1b4f213c1d6e8ea67fae5c25099c6fd3d8274b ubuntu-24.04.3-live-server-amd64.iso
3a4c9877b483ab46d7c3fbe165a0db275e1ae3cfe56a5657e5a47c2f99a99d1e ubuntu-24.04.4-desktop-amd64.iso
d141f6030fed50f75e2b03e1eb2e53646c4b21e5386047cb860af5223f102a32 Win11_25H2_English_x64.iso
c805de0c57b7b8bdec67d41e3432aca5a12ebae44a51cc320a7dc602a83005d0 tails-amd64-7.5.img
29b3e8f26f709c9b8a76ecc0f787feddf34383fece74f2d068908cba7a7e9998 Qubes-R4.3.0-x86_64.iso
| Verification Type | Detects... | Trust Source |
|---|---|---|
| SHA256 (Hash) | Accidental Corruption | Website Checksum / Web Search |
| PGP (Signature) | Malicious Tampering | Developer Private Key |
Ensure /dev/sdb is unmounted before beginning verification.