# Ubuntu – How to verify .iso from https://www.ubuntu.com (Official Site) from OS X mac

16.04isomacmacosxsoftware installation

A barrage of verification questions:

The only other question I saw was regarding a torrented .iso. I got mine from https://www.ubuntu.com (Official Site)

My questions:

1. Do I need truly need verify if it is from the official site? What's the risk?

2. Don't have gpg command on a mac; can I skip this step?

3. Did a 256 checksum of my .iso and it did not match the one hosted @ https://www.ubuntu.com/download/how-to-verify… What!? – Re-Downloading to double check…

UPDATE / SOLVED:

This time my SHA256 and GPG verification came out clean.

Here's what I learned:

Download the SHA256 files, don't just copy and paste into a new text file (this will corrupt the output of gpg).

I used curl -O http://releases.ubuntu.com/16.04/SHA256SUMS to download via terminal.

All you need is the SHA256SUMS AND SHA256SUMS.gpg not MD5 and SHA1 etc.

Then follow the steps outlined here: https://www.ubuntu.com/download/how-to-verify (and below if you don't have gpg installed on mac get homebrew package manager and run brew install gnupg

Do I need truly need verify if it is from the official site? What's the risk?

Well, dunno if you noticed, but http://releases.ubuntu.com/ isn't HTTPS. You could have easily downloaded from an impersonating webpage. However, using PGP signing lets you verify that the file is correct and from the Ubuntu team.

Don't have gpg command on a mac; can I skip this step?

Homebrew it: http://brewformulas.org/Gnupg. What's life on a Mac without homebrew or the like?

Did a 256 checksum of my .iso and it did not match the one hosted ...

Can't really say - was the file completely downloaded? Did it get corrupted somehow?