Verify an image checksum¶
For every ubuntu cloud image, Canonical provides a corresponding SHA256 checksum. These checksums help reassure that the image you have downloaded is not corrupted in any way and that it is an authentic image that hasn’t been tampered with.
You can use the provided checksums to verify the authenticity of your downloaded image. These steps can be used to verify other related files too, such as changelog files, tarballs and manifests.
Install the necessary packages¶
You’ll require the sha256sum, md5sum and gpg packages. Based on your OS, these packages may or may not be installed by default:
These are part of the coreutils and gnupg packages, which are installed by default.
Install the latest GnuPG and coreutils using HomeBrew:
brew install gnupg coreutils
If you are using Ubuntu on WSL, these tools are part of the default install.
Verify the installed packages¶
gpg --list-keys
md5sum --version
sha256sum --version
Download the relevant file and keys¶
For the cloud image (.img file) that you have downloaded, make sure that you also downloaded SHA256SUMS and SHA256SUMS.gpg in the same local directory. You can find these files at https://cloud-images.ubuntu.com.
The following commands assume that all three files are in the current working directory.
Check if you have the public key¶
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
If the public keys aren’t present in your system, you will get an error message similar to:
gpg: Signature made Tue Sep 30 13:04:34 2025 EDT
gpg: using RSA key D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81
gpg: Can't check signature: No public key
Here, D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81 is the public ID of the signing key used by Ubuntu.
You can use that ID to get the public keys from the Ubuntu key server:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81
You can inspect the key fingerprints by running:
$ gpg --keyid-format long --list-keys --with-fingerprint D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81
Which should output a message similar to:
pub rsa4096/1A5D6C4C7DB87C81 2009-09-15 [SC]
Key fingerprint = D2EB 4462 6FDD C30B 513D 5BB7 1A5D 6C4C 7DB8 7C81
uid [ unknown] UEC Image Automatic Signing Key <[email protected]>
Verify the checksum and image¶
Now that you have the required tools and keys, you can:
Verify that the checksum file is authentic and
Generate a checksum of the cloud image (
.imgfile) and match it with the authenticated checksum file
Verify the checksum file¶
Run:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
In the output, you should see something like:
gpg: Signature made Tue Sep 30 13:04:34 2025 EDT
gpg: using RSA key D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81
gpg: Good signature from "UEC Image Automatic Signing Key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D2EB 4462 6FDD C30B 513D 5BB7 1A5D 6C4C 7DB8 7C81
Verify the cloud image (.img file)¶
Now that you have an authentic checksum file, generate a SHA256 checksum of the image and compare it with the authenticated checksum file:
Warning
Make sure you preserve the filename of the original downloaded cloud image (.img file) file.
sha256sum -c SHA256SUMS 2>&1 | grep OK
The output should look similar to:
questing-server-cloudimg-amd64.img: OK
If you have the corresponding manifests, changelogs or any other relevant files, they’ll verified too, as long as they are in same working directory. Their verification output will look something like:
questing-server-cloudimg-amd64-root.manifest: OK
questing-server-cloudimg-amd64.img: OK
questing-server-cloudimg-amd64.daily.20250921.20250926.image_changelog.json: OK
questing-server-cloudimg-amd64-lxd.tar.xz: OK
Additional Reading¶
For more information, you can checkout the following resources