Download Kali Linux Images Securely

[full_width]

When you download an image, be sure to download the SHA1SUMS and SHA1SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the Kali Linux Download Server). Before verifying the checksums of the image, you must ensure that the SHA1SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA1SUMS.gpg. Kali’s official key can be downloaded like so:

$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
# or...
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
# ...and verify that the displayed fingerprint matches the one below
$ gpg --list-keys --with-fingerprint 7D8D0BF6
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]

Once you have downloaded both SHA1SUMS and SHA1SUMS.gpg, you can verify the signature as follows:

$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"

If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop the process and review whether you downloaded the images from a legitimate Kali mirror.

Want an Updated or Custom Kali Image ?

Feeling a little more adventurous? Want to build the latest version of Kali? Want to customize your ISO? Looking for KDE, LXDE, MATE, XFCE and other customizations? This is the option for you. With everything set up correctly, the basic process is as simple as:

apt-get install git live-build cdebootstrap
git clone git://git.kali.org/live-build-config.git
cd live-build-config
./build.sh --distribution kali-rolling --verbose