Software integrity

Software artifacts distributed by Ubuntu use digital signatures and other technical controls for integrity verification, protecting against the delivery of forged replacements. These mechanisms usually run automatically, but we recommend manual verification when you directly download artifacts using an HTTP or FTP client (such as a browser).

Warning

Check your installation media

If you download installation media, we strongly recommend performing an integrity check, even if you used a TLS-protected channel. The download workflow can’t automatically perform this test for you.

This section documents the integrity protections employed for various types of software artifacts. It’s important to understand the configuration and the established chain of trust to reduce the likelihood of malicious or inadvertent tampering.

Ubuntu image integrity verification

• Ubuntu image integrity verification
  • Step 1. Download verification public key
  • Step 2. Verify public key authenticity
  • Step 3. Validate downloaded image
  • Step 4. Sign verification key for future validation

Ubuntu archive integrity verification

• Ubuntu archive integrity verification
  • Automatic verification
  • Signature scheme