Downloads and Validation

Official ISO Sources

CachyOS ISO can be obtained from the following sources:

• Website
• SourceForge
• CachyOS Mirror

Verifying ISO Integrity with SHA256

Caution

Always take the extra step of verifying the ISO’s integrity to avoid any undesired issues during installation or while creating a bootable medium.

Current ISO Version: 260308

SHA256 Hash: 69f1ffbded158d4d95e6567e994b1813d0d040d323742aef9f489a0b71ad1d29

Windows

1. Download the file containing the SHA256 hash (Open it with a text editor, e.g., Notepad).
2. Open CMD or PowerShell as Administrator and navigate to the path where the ISO and SHA256 files are stored.
3. Execute the following command:

   # Example:
   certUtil -hashfile cachyos-desktop-linux-260308.iso SHA256

4. Compare the certUtil hash output to the one from the downloaded file in Step 1. If they match, you may proceed with the CachyOS installation.

Linux

1. Download the file containing the SHA256 hash.
2. Open a terminal, navigate to the directory containing both the .sha256 and .iso file.
3. Execute the following commands:

   # Example:
   cd ~/Downloads
   sha256sum -c cachyos-desktop-linux-260308.iso.sha256
   # cachyos-desktop-linux-260308.iso: OK

4. If the output from Step 3 is OK, you may proceed with the CachyOS installation.

macOS

1. Download the file containing the SHA256 hash.
2. Open a terminal, navigate to the directory containing the .sha256 file, and execute the following commands:

   # Example:
   cd Downloads/
   cat cachyos-desktop-linux-260308.iso.sha256
   # 69f1ffbded158d4d95e6567e994b1813d0d040d323742aef9f489a0b71ad1d29

3. Compare the output from Step 2 to the ISO file’s hash:

   # Example:
   shasum -a 256 cachyos-desktop-linux-260308.iso

4. If the hashes from Step 2 and Step 3 match, you may proceed with the CachyOS installation.

Verify ISO Image Authenticity (Linux)

To verify the authenticity of the ISO file:

1. Import the GPG key as a reference to compare against:

   gpg --keyserver hkps://keys.openpgp.org --recv-key F3B607488DB35A47

2. Download the ISO file and its .sig signature file and run the following command (replace full_iso_name.iso with the actual ISO filename):

   gpg --verify full_iso_name.iso.sig full_iso_name.iso

   If you get a Good signature output, the ISO file is genuine:

   gpg: Signature made dom 08 mar 2026 10:39:18 -03
   gpg:                using RSA key 882DCFE48E2051D48E2562ABF3B607488DB35A47
   gpg: Good signature from "CachyOS <admin@cachyos.org>" [unknown]
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: 882D CFE4 8E20 51D4 8E25  62AB F3B6 0748 8DB3 5A47

Danger

If the output does not return a Good signature string or the key ID does not match, don’t use the ISO image. A bad signature suggests that the ISO has been tampered with or has been corrupted.

Make sure that the downloaded image comes from a legitimate CachyOS source.