This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.