Authentication issue with LMDE2

Questions about Grub, the liveCD and the installer
Forum rules
Before you post please read how to get help
Bobo-the-Cat
Level 2
Level 2
Posts: 91
Joined: Tue Jun 03, 2008 1:03 pm

Authentication issue with LMDE2

Postby Bobo-the-Cat » Tue Mar 21, 2017 5:29 pm

Hi. Despite being a technical person, I never seem to be able to understand the authentication instructions for downloaded files. One concern I have is that the shasum files cannot be downloaded and therefore the contents have to be cut and pasted - surely this leads to errors. Please see below my attempt at this. The instructions do not mention what to do if you get the message "no ultimately trusted keys found" The initial checksum check produces a correct answer. I downloaded two identical files from different mirrors at different times and did a diff and they are identical. So is this OK or not? If not what do I do now?

mntuser@INSP530 ~/Desktop/LMDE ISO $ sha256sum -b *.iso
f5bd84c2fe3c097c1f969f9b842b3e7b575be7a6515d9c41b1554941c1598a4d *lmde-2-201701-cinnamon-64bit.iso
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --keyserver keyserver.ubuntu.com --recv-key A25BAE09
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --list-key --with-fingerprint A25BAE09
pub 4096R/A25BAE09 2016-06-07
Key fingerprint = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
uid Linux Mint ISO Signing Key <root@linuxmint.com>

mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 10 Mar 2017 19:36:25 GMT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 10 Mar 2017 19:36:25 GMT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
mntuser@INSP530 ~/Desktop/LMDE ISO $ ls -l
total 1479308
-rw------- 1 mntuser mntuser 1514799104 Mar 16 16:47 lmde-2-201701-cinnamon-64bit.iso
-rw-r--r-- 1 mntuser mntuser 777 Mar 21 21:03 sha256sum.txt
-rw-r--r-- 1 mntuser mntuser 820 Mar 21 21:01 sha256sum.txt.gpg
mntuser@INSP530 ~/Desktop/LMDE ISO $

User avatar
richyrich
Level 18
Level 18
Posts: 8677
Joined: Mon May 04, 2009 8:31 pm

Re: Authentication isssue with LMDE2

Postby richyrich » Tue Mar 21, 2017 5:59 pm

f5bd84c2fe3c097c1f969f9b842b3e7b575be7a6515d9c41b1554941c1598a4d *lmde-2-201701-cinnamon-64bit.iso

Looks like you have a match ! :)

Ref: ftp://ftp.heanet.ie/pub/linuxmint.com/debian/sha256sum.txt

Bobo-the-Cat
Level 2
Level 2
Posts: 91
Joined: Tue Jun 03, 2008 1:03 pm

Re: Authentication isssue with LMDE2

Postby Bobo-the-Cat » Tue Mar 21, 2017 6:05 pm

Hi - yes but the signature is bad. So which method wins?

Bobo-the-Cat
Level 2
Level 2
Posts: 91
Joined: Tue Jun 03, 2008 1:03 pm

Re: Authentication issue with LMDE2

Postby Bobo-the-Cat » Wed Mar 29, 2017 2:53 pm

I have done this check again today re-copying the sha256sum.txt.gpg file, and although the integrity is OK - I am quite clearly getting a bad signature. So now I can't install this. Is anyone going to fix this or am I raising this in the wrong board?:

mntuser@INSP530 ~/Desktop/LMDE ISO $ sha256sum -b *.iso
f5bd84c2fe3c097c1f969f9b842b3e7b575be7a6515d9c41b1554941c1598a4d *lmde-2-201701-cinnamon-64bit.iso
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 10 Mar 2017 19:36:25 GMT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 10 Mar 2017 19:36:25 GMT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
mntuser@INSP530 ~/Desktop/LMDE ISO $

User avatar
Fred Barclay
Level 11
Level 11
Posts: 3963
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Authentication issue with LMDE2

Postby Fred Barclay » Wed Mar 29, 2017 6:07 pm

Bobo-the-Cat wrote:So now I can't install this.

That's a good call on your part and better than what we sometimes see here. :(

I think you might be using the wrong GPG key, though. For the old LMDE 2 images, Clem signed 'em with a key with this fingerprint: A25BAE09.
Perhaps he's used the same key for the new images?
(https://fred-barclay.github.io/VerifyLinuxMint/)

Could you try this?

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-key "E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2"
 gpg --verify sha256sum.txt.gpg sha256sum.txt
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

Bobo-the-Cat
Level 2
Level 2
Posts: 91
Joined: Tue Jun 03, 2008 1:03 pm

Re: Authentication issue with LMDE2

Postby Bobo-the-Cat » Wed Mar 29, 2017 6:24 pm

Fred, Thanks. I believe I used the new 2017 ISO and the new authenticity checking files. The output from your suggestion is:

mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --keyserver keyserver.ubuntu.com --recv-key "E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2"
gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
gpg: key 0FF405B2: "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
mntuser@INSP530 ~/Desktop/LMDE ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 10 Mar 2017 19:36:25 GMT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
mntuser@INSP530 ~/Desktop/LMDE ISO $

User avatar
clem
Level 12
Level 12
Posts: 4007
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: Authentication issue with LMDE2

Postby clem » Wed Mar 29, 2017 8:27 pm

Your commands look correct but you didn't mention where you got the sha256 sums.

Code: Select all

clem@xxx ~/TEST $ wget https://ftp.heanet.ie/mirrors/linuxmint.com/debian/sha256sum.txt
--2017-03-30 01:23:24--  https://ftp.heanet.ie/mirrors/linuxmint.com/debian/sha256sum.txt
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776 [text/plain]
Saving to: 'sha256sum.txt'

sha256sum.txt                      100%[===============================================================>]     776  --.-KB/s    in 0s     

2017-03-30 01:23:25 (90.0 MB/s) - 'sha256sum.txt' saved [776/776]

clem@xxx ~/TEST $ wget https://ftp.heanet.ie/mirrors/linuxmint.com/debian/sha256sum.txt.gpg
--2017-03-30 01:23:31--  https://ftp.heanet.ie/mirrors/linuxmint.com/debian/sha256sum.txt.gpg
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819 [text/plain]
Saving to: 'sha256sum.txt.gpg'

sha256sum.txt.gpg                  100%[===============================================================>]     819  --.-KB/s    in 0s     

2017-03-30 01:23:31 (79.9 MB/s) - 'sha256sum.txt.gpg' saved [819/819]

clem@xxx ~/TEST $ gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" 14 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 14
clem@xxx ~/TEST $
clem@xxx ~/TEST $ gpg --list-key --with-fingerprint A25BAE09
pub   4096R/A25BAE09 2016-06-07
      Key fingerprint = 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
uid                  Linux Mint ISO Signing Key <root@linuxmint.com>

clem@xxx ~/TEST $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri Mar 10 19:36:25 2017 GMT using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09


The files on heanet match the signature.
Image

Bobo-the-Cat
Level 2
Level 2
Posts: 91
Joined: Tue Jun 03, 2008 1:03 pm

Re: Authentication issue with LMDE2

Postby Bobo-the-Cat » Thu Mar 30, 2017 1:29 pm

Hi Clem. I got the sums from the following link on the Linux Mint site:
1.https://www.linuxmint.com/edition.php?id=233
2. Click on "Don't forget to verify your ISO"
3. https://linuxmint.com/verify.php is displayed
4. Select LMDE button
5.Page with "How to verify ISO images is displayed" (same URL)
6. Click on each of the 2 "sha" file links - then cut and paste contents to files in the ISO directory I have created along with the ISO itself - which has already been downloaded

I have now tried from heanet and finally got a good signature - so the issue appears to be with the one that I was copying from the web page ( see link above). Thanks for your help.

User avatar
clem
Level 12
Level 12
Posts: 4007
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: Authentication issue with LMDE2

Postby clem » Fri Mar 31, 2017 6:44 am

Cool. The page links to Heanet as well.

The issue might have been with the cut-n-paste. It's better to download the file (right-click -> download) or copy the link and wget it.
Image


Return to “Installation & Boot”