Download Kali Linux Images Securely

When you download an image, be sure to download the SHA256SUMS and SHA256SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the Kali Linux Download Server). Before verifying the checksums of the image, you must ensure that the SHA256SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA256SUMS.gpg. Kali’s official key can be downloaded like so:

$ wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import
# or...
$ gpg --keyserver hkps://keys.openpgp.org --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
# ...and verify that the displayed fingerprint matches the one below
$ gpg --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
pub rsa4096 2012-03-05 [SC] [expires: 2021-02-03]
44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid [ unknown] Kali Linux Repository <devel@kali.org>
sub rsa4096 2012-03-05 [E] [expires: 2021-02-03]

Once you have downloaded both SHA256SUMS and SHA256SUMS.gpg, you can verify the signature as follows:

$ wget -q https://cdimage.kali.org/current/SHA256SUMS{.gpg,}
$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Tue 17 Nov 2020 15:39:09 GMT
gpg:                using RSA key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6

If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop the process and review whether you downloaded the images from a legitimate Kali mirror.


Updated on: 2021-Jul-14
Author: daniruiz