How to verify Linux Mint .iso file

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
phd21
Level 13
Level 13
Posts: 4913
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

How to verify Linux Mint .iso file

Postby phd21 » Fri Jul 22, 2016 7:30 pm

Hi Everyone,

I know there are other posts on How to Verify a Linux Mint .iso file, including the Linux Mint website, but here are my instructions:

First, the Linux Mint team has gone through a lot of effort over the past months to make sure that their websites are more secure, and that the live installation editions of Linux Mint (as ".iso" disc image files) are safe for users to download, test drive, and then install.

It is for us users to decide if we want to verify that these live, "test drive", installation disc images of Linux Mint are actually safe to use, and or to install. After what happened at the end of last year, and the beginning of this year (the cowardly malicious hacker attacks), that it is not a bad idea to verify the file(s), even though all the tests being done recently, and in this post are proving the Linux Mint download files to be safe.

AndyInMokum in another forum wrote:FYI: if you use a torrent client to download the ISO file, then security is built in to the downloading method ;).
https://forum.peppermintos.com/index.php?topic=3913.0

phd21 wrote: Caution: I do not know if downloading the Linux Mint Iso file using a torrent client and the Linux Mint Torrent Link means that you can skip the checksum verification process, or skip verifying the signing key signature process.

FYI: The Linux Mint "Torrent" link is available on the regular download web pages just above the part that states
"Don't forget to verify your ISO".


In this tutorial, except for the last step #5, you can use desktop graphical programs to do any of these instructions without going to the console terminal command prompt, although I will provide instructions for both options.

You must first download a Linux Mint installation, "test Drive", file (Linux Mint.iso), and the correct checksum files (sha256sum.txt and sha256sum.txt.gpg) for that edition and version of Linux Mint into the same folder (directory). The Linux Mint Verify link "https://linuxmint.com/verify.php" shows download mirror locations where the linux Mint iso files and their checksum files "sha256sum.txt" (checksum file) & "sha256sum.txt.gpg" (signing key file)) are located, where anyone can download them. You can use the quicker link below this paragraph. Or, just click one of the mirror links, then click "testing" folder for Linux Mint 18 (Beta version), or click "stable" for previous stable Linux Mint versions, and pick your version that you want to use, or are using (like version 17.3), and double click that, then you can click to download the checksum files, or right click then "save link as" to the same "/Downloads" folder. On this "Linux Mint Verify" page are the original Linux Mint team instructions for how to verify the .iso disc images, using the "Signing key for Linux Mint 18", or "Signing key" for previous releases", see screenshot below.

Image

Here is a webpage link where you can just click the version of Linux Mint that you want to try or install, and then download (right click save link as, or save file as) the checksum files into the same folder as the "LinuxMint.iso" file. This web page link is called "Index of /pub/linuxmint/images/stable/"
http://mirror.jmu.edu/pub/linuxmint/images/stable/

or you can use the Download mirrors
Primary download mirror: https://ftp.heanet.ie/mrrors/linuxmint.com/
Other mirrors: https://linuxmint.com/mirrors.php

Index of /pub/linuxmint/images/
../
debian/ 14-Nov-2015 15:31 -
stable/ 30-Nov-2015 12:49 -
testing/ 07-Jun-2016 17:19 -

After clicking the "Stable" folder (directory), Index of "/pub/linuxmint/images/stable/"
13/ 21-Jul-2012 14:24 -
14/ 21-Dec-2012 14:37 -
15/ 18-Jul-2013 08:43 -
16/ 20-Dec-2013 14:14 -
17/ 13-Nov-2014 13:55 -
17.1/ 09-Jan-2015 14:11 -
17.2/ 04-Aug-2015 13:32 -
17.3/ 06-Jan-2016 16:09 -
18/ 28-Jun-2016 16:42 -

Then clicking the version number 18, the contents below shows up of "/pub/linuxmint/images/stable/18/"
linuxmint-18-cinnamon-32bit.iso 28-Jun-2016 14:41 1G
linuxmint-18-cinnamon-64bit.iso 28-Jun-2016 12:50 2G
linuxmint-18-mate-32bit.iso 28-Jun-2016 15:44 2G
linuxmint-18-mate-64bit.iso 28-Jun-2016 13:49 2G

sha256sum.txt (checksum file) 28-Jun-2016 16:32 384
sha256sum.txt.gpg (signing key signature file) 30-Jun-2016 11:16 819



Unfortunately, the process for completely verifying the Linux Mint .iso file, or any other disc image file's, integrity is two-fold:
Verify the checksum values of the Linux Mint .iso file, and then to verify the security Signing Key signature of the file.

If you want to use the console terminal command prompt instructions, then you must be in the correct folder (directory): Assuming that users download the live installation editions of Linux Mint into their "/Downloads" folder, then if you bring up a console terminal prompt from your menu, you can just type in "cd Downloads", hit "enter" to change directory (cd) and get into the "/Downloads folder where you can run the various commands that have been shown in this post's thread. Or, you can bring up your file manager, browse to where you downloaded the Linux Mint disc image file (.iso), like "/Downloads", double click to go into the folder, right click somewhere, select "actions, "open terminal here".

Step 1: Verify (compare) the checksum values of the Linux Mint .iso file you downloaded

What is a Checksum and How to Calculate a Checksum
Checksums are used to ensure the integrity of a file after it has been transmitted from one storage device to another.
http://www.online-tech-tips.com/cool-websites/what-is-checksum/

Download the "MD5 & SHA Checksum Utility" for MS Windows
https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/

1. Verifying (comparing) the "checksum" value of the LinuxMint.iso file you downloaded matches the "checksum" value in the "sha256sum.txt" checksum file that you also downloaded, is pretty easy. There are desktop applications for helping with this in all operating systems (Linux, MS Windows, & Mac) and you can also type in (or copy & paste from here) a console terminal command like that below on your downloaded Linux Mint disc image file (.iso) to get the checksum value.

Console terminal Method1: Easy - automatically verifies the checksum values for all Linux Mint .iso files in the download folder against the checksum values in the Linux Mint checksum file "sha256sum.txt", and just shows "ok" if the values match. You do not see the actual checksum values.

~/Downloads >sha256sum --check --ignore-missing sha256sum.txt

Code: Select all

sha256sum --check --ignore-missing sha256sum.txt


or
~/Downloads >sha256sum --check sha256sum.txt

Code: Select all

sha256sum --check sha256sum.txt



Results Below:

linuxmint-18-cinnamon-32bit.iso: OK
linuxmint-18-kde-32bit.iso: OK
linuxmint-18-mate-32bit.iso: OK
linuxmint-18-xfce-32bit.iso: OK

If your Linux Mint iso file shows OKay using the checksum verification method (console method 1) just described, or one of the other checksum methods below, where you visually compare the checksum values and they match, then your done; OR, you can go to Step 2 if you want to also verify the security GPG Signing Key signature of the Linux Mint iso file, which is recommended.

Console terminal Method2: Specifying the linux mint iso file, then visually (manually) compare checksum values.
sha256sum -b linuxmint-18-cinnamon-64bit-beta.iso

Code: Select all

sha256sum -b linuxmint-18-cinnamon-64bit-beta.iso

Results below:
8a2d3a3276d36497470156063e02ba894d5b9d562a8edf856dd29ee479eb55c4 *linuxmint-18-cinnamon-64bit-beta.iso

OR for those "terminally" challenged: (people who do not like to use the console terminal command prompt)

Linux users can install and use the simple Linux desktop utility "GtkHash" from the Software Manager or Synaptic Package Manager (SPM), to easily browse to the "Linux Mint.iso" file, then click the "hash" button in the lower right to display the current checksum value of the Linux Mint .iso file you downloaded. Certain archiving programs like "PeaZip" (for Linux or MS Windows) also work great for this, and "7-Zip" Gui on MS Windows does too. There are other desktop applications for this in Linux, MS Windows, & Mac, search for "checksum program".

GtkHash_Checksum_Compare_Cinnamon18-sm.jpg


Then, open up the "sha256sum.txt" file that you downloaded from the Linux Mint website, and make sure the checksum values match. You can use your file manager and right click the file, and open with any text editor (open as a text file), or type in (or copy & paste from here) the terminal command below. The Linux Mint "sha256sum.txt" file shows all the checksum values for each edition and version of Linux Mint, and whether it is for 32-bit or 64-bit computers, and each has their own "checksum" value.

08-22-2016 Update: Here is another Linux checksum (hash checking) application:
MassHash
https://jdleicher.github.io/MassHash/#about

Image

The console terminal command below opens up, lists the content, of the Linux Mint "sha256sum.txt" file that you downloaded.
cat sha256sum.txt

Code: Select all

cat sha256sum.txt


"PeaZip" (archiving program) can easily be installed from link below (click easy to install linux ".deb" file, or MS Windows users can use the link on top), and run PeaZIp to calculate the checksum value for a file. PeaZip also integrates with most file managers, so that you can right click an ".iso" file, open with PeaZip, then tell it to get the "checksum" value for the file.
Simple Instructions below:
Click "Test" in the toolbar", then click "CheckSum/hash".
or just run "PeaZip",
Click Tools, PeaUtils, click "Function", select "Hash sha-256", click "select file(s)" & browse to the "iso" file(s), click ok
http://www.peazip.org/peazip-linux.html
PeaZip_CheckSum256_Cinnamon18_3sm.jpg



Verifying (comparing) the checksum values of the Linux Mint.iso file is usually enough to satisfy most users that the downloaded Linux Mint ".iso" disc image file(s) are in fact authentic and secure.


Step 2: Verify security "Signing Key" Signature of the Linux Mint .iso file

2.) It is when you want to also verify the security "Signing Key" signature (gpg) of the disc image .iso file(s) that it becomes more difficult. Security and encryption are not simplistic concepts in any computer operating system.

The average Linux Mint user does not have encryption and security signatures installed, or setup, even though it is an excellent idea to do so, especially for your communications, like email, instant messaging, encrypting files and folders easily, verifying downloads, etc... It is not hard to do, but it is a little unusual (or strange), if you have never done it before.

First of all, we need to set up a GPG Security Key for ourselves. You have to create your own personal security key pair.

Here is a link for MS Windows users to download and install the necessary programs "Gpg4win (GNU Privacy Guard for Windows), if you do not already have GPG setup. You can also learn how to use the included programs from the links.
https://www.gpg4win.org/about.html

Mac Users can use one or more of the links in the link below to install and use (MacGPG, GPGtools, etc...)
https://www.google.com/#q=Mac+GPG

Linux users can use desktop graphical programs to create and manage your security keys (see below), or can use Linux console terminal command below to start the process of creating a default security (encryption) keys for yourself and your computer; create your own GPG personal security key. These instructions might also work exactly the same in MS Windows, not sure about Mac users. "GPA" and "Kleopatra" are installed for MS Windows users when you install the "Gpg4win" programs; "GPA" would be easier for non-technical users.

Personally, I would use the graphical (GUI) desktop utility for this part, "GPA" GNU Privacy Assistant, instead of running commands from the command prompt. "GPA" can easily be installed from the Software Manager or Synaptic Package Manager (SPM) for Linux users, see screenshot below. Bring up GNU Privacy Assistant (GPA), select "Keys" in the toolbar, create "new key (Ctrl+N)", follow the prompts. "SeaHorse" is another GPG program, and Linux KDE users can also use "KGpg" (click "Keys" in toolbar, then click "Generate Key Pair"), or use "GPA", & or use "Kleopatra".

VIP Note: During this process of creating a new security key for yourself, after entering in your name, email address, comment, & a secure password,, (If asked, I would also choose to create a personal and public key pair), now here comes the unusual, or strange part, then you will be asked to type, or move the mouse, to help generate the security key. I think typing works better, but it can take a little while, and a lot of random typing (it does not matter what you type), until the system generates the key, it can sometimes take a few minutes. Do not forget your password! If need be, install and use "KeePass2" (awesome) or "KeePassX" (excellent), or some other password manager.

GNU_Privacy_Assistant_GPA1.jpg


Animated Gif of creating your own Personal GPG Key Pair using Kleopatra
Click to enlarge image, or right click and open in a new tab
Image

If you use a desktop utility, then you do not need to run the console terminal command below to generate a personal key.
gpg --gen-key

Code: Select all

gpg --gen-key



3.) Once you have your own GPG key, then you can proceed with the next verifications steps:
Import the Linux Mint "signing key" from a Keyserver. It is okay to import both keys for the new version of Linux Mint and the previous versions; I did. This only needs to be done once.
Linux Mint website wrote:Signing key for Linux Mint 18
Key ID 4096R/A25BAE09 2016-06-07
Fingerprint 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
UID Linux Mint ISO Signing Key

Signing key for previous releases
Key ID 1024D/0FF405B2 2009-04-29
Fingerprint E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2
UID Clement Lefebvre (Linux Mint Package Repository v1)

You can also use the desktop graphical program "GPA" to easily retrieve the Linux Mint Signing Keys by clicking "Server" in the toolbar, then "Retrieve Keys", and enter in a key value, like A25BAE09 for Linux Mint 18, or 0FF405B2 for previous versions of Linux Mint (You can repeat the process for retrieving both keys). For "KGpg", click "Import Key", "Key Server", enter in Key Value, click ok, OR click "Key Server Dialog", Enter in Key ID (Key Value) in the text search box, click import.

"GPA"
Image

"KGpg" method 1
Image
"KGpg" method 2
Image

Console terminal commands:
For Linux Mint 18
gpg --recv-key A25BAE09

Code: Select all

gpg --recv-key A25BAE09

or for previous versions of Linux Mint
gpg --recv-key 0FF405B2

Code: Select all

gpg --recv-key 0FF405B2


4.) Verify the Singing Key fingerprint with the following command: (This will also show your key(s) and the Linux Mint keys)

Again, this can be done visually using the Desktop programs ("GPA" or "KGpg" or "Kleopatra" or "SeaHorse"), by clicking the imported Linux Mint Key (see "GPA" image above), or by typing in (or copying & Pasting from here) the console terminal commands below. The "fingerprints" here should match those that are displayed on the Linux Mint "Verify ISO page" which I have quoted above.

gpg --list-keys --with-fingerprint

Code: Select all

gpg --list-keys --with-fingerprint

Results in:
For Linux Mint 18 Beta:

pub 4096R/A25BAE09 2016-06-07
Key fingerprint = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
uid Linux Mint ISO Signing Key <root@linuxmint.com>


For Linux Mint's previous versions:

pub 1024D/0FF405B2 2009-04-29
Key fingerprint = E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2
uid Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sub 2048g/0F346519 2009-04-29

5.) And finally, you type in, or copy & paste, the console terminal command below to verify the security signature (gpg), signing key, of the Linux Mint disc image .iso file:
gpg --verify sha256sum.txt.gpg sha256sum.txt

Code: Select all

gpg --verify sha256sum.txt.gpg sha256sum.txt

Results:
gpg: Signature made Tue 07 Jun 2016 12:46:57 PM EDT using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09

OR, this command also worked for me:
gpgv --keyring ~/.gnupg/pubring.gpg sha256sum.txt.gpg sha256sum.txt

Code: Select all

gpgv --keyring  ~/.gnupg/pubring.gpg  sha256sum.txt.gpg sha256sum.txt

Results:
gpgv: Signature made Tue 07 Jun 2016 12:46:57 PM EDT using RSA key ID A25BAE09
gpgv: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

In the results, if the line below exists, "Good Signature", then your file is in good shape and is safe to use.
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

VIP: If you do not get a good signature result, then delete the Linux Mint ".iso" disc image file, and re-download the disc image file from the Linux Mint website, and re-verify it using step 1 to Verify Checksum values, then step 5 to verify the security Signing Key signature (gpg) of the disc image file.


Step 2, creating your own personal GPG key, only needs to be done once, (if you have more than one email address and want to use those email addresses with GPG encryption, then re-run the "add new key" procedure for those email addresses).
Steps 3 & 4, Import the Linux Mint "signing key" from a Keyserver, and verify its security "fingerprint", only need to be run once, and then are only necessary when new versions come out, and the key code is different, but it will not hurt to re-run them.

Backup Note2: I would highly recommend that you backup (export) your encryption (GPG) Key(s) to your "/Documents" folder, and maybe a flash drive stick, especially if you do intend on using it for email, chatting, messaging, or for files and folder encryption. Most of the dekstop GPG/PGP applications have an "export" (backup) keys function.

And, you can just copy the whole GNU Privacy folder, the hidden folder "/home/yourusername/.gnupg/", to another folder like your "/Documents", and or drive or flash drive stick.

Since you now have a personal GPG encryption key, find out more on what you can do with it.

GnuPrivacyGuardHowto - lots of good information.
https://help.ubuntu.com/community/GnuPrivacyGuardHowto

The GNU Privacy Handbook
https://www.gnupg.org/gph/en/manual.html

GPG privacy and encryption for email
Some Email desktop clients, already have GPG PGP encryption available, like for Linux there are Evolution, Kmail, etc...

Thunderbird - Just install "Enigmail" in the Software Manager or Synaptic Package Manager (SPM).

For Browser Web Mail (updated 08-15-2016)

Tip: Although it is much easier, and more convenient, to use an email application that can handle GPG/PGP encryption and decryption built-in, or by adding a plug-in or add-on, most (if not all) of the desktop encryption and decryption applications, can easily encrypt and decrypt message text, which can then be easily copied and pasted into any email message, or attached as a text text file, using any email application, web based or desktop based.

Simple Procedure: First, you need to import the GPG (PGP) Key from your friends, relatives, Business Associates, and or "send to" recipient. This might be available online by searching for their key through the various GPG programs search (find) key options, or have them send you their key which is safe for them because you do not have their password.

Using "GPA" GNU Privacy Assistant: Bring up GPA, click the "Text Clipboard icon in the Toolbar, (or click Windows, Clipboard), Type or paste in some text, (create a letter, or whatever), click the "Encrypt the buffer Text" Button on the toolbar, select which recipient's ("Send to" recipient, friend, relative, business associate, etc...) encryption Key you want to use (there is a default which is your key), I would also recommend that you add one of your own keys, so you can decrypt your sent messages, click ok. You will see that the message text is now encrypted. Click "Ctrl-A" to select all of it, click the "Copy" button (or use key combo "Ctrl+Ins"), then just paste it into any email message in whatever email application you are using, or into any text editor to save as an attachment to add to an email message. Then, just close the GPA Clipboard. You can decrypt a message by highlighting the encrypted text, select copy, then pasting it's encrypted text, into the GPA clipboard, and clicking the "Decrypt" button, and entering in your Key's secure password.
Animated Gif showing GPA and its text clipboard with simple encryption / decryption button options
Image

Using the "KGpg" application: Bring up "KGpg", click "File", "Open Editor" (or click the "Open Editor" toolbar button), Type or paste in some text, (create a letter, or whatever), click the "Encrypt" button on bottom, click to select the key(s) for person or the people you are sending this too (recipients), add your own key too, if you want to decrypt your sent messages, hold down the CTRL key to select more than one key, you will then see the encrypted text, click select all (Ctrl+A), click copy, and paste it into whichever email application you want, and send it. If you wanted, you can also save this as a text file using the save button, and then attach it to a regular email, or for a backup.

Animated Gif showing "KGpg" and its text editor clipboard with simple encryption / decryption button options.
Image

Using the "Kleopatra" application: Bring up Kleopatra, type in any text into a text editor or some other application, select all of the text (Ctrl+A), and select copy (Ctrl+Ins) which copies the text message into the computer's clipboard memory, click Kleopatra's "Clipboard" button, select option to encrypt, (Or, right click system tray panel icon, select clipboard, encrypt), then select add recipient to use their encryption key, click ok. Then, go into whatever email program you want to use, and click paste, then click send.

Animated Gif showing "KGpg" and its text editor clipboard with simple encryption / decryption button options.
Image

I use a "clipboard" manager called "Klipper" which you see in the screenshots for Kleopatra. There are some really great Linux Clipboard managers some with built-in text editors, available for people to install and use, search the forum, search the internet, or the Software Manager or Synaptic Package Manager (SPM) for these.


Browser email Plug-ins and add-ons

Goopg - Google email gpg handler -for Chrome and Chromium browsers. I never tried this. There are more in the Google Extensions like Mymail-crypt, etc...
https://leoiannacone.github.io/goopg/

WebPG for Mozilla & Enigmail
https://addons.mozilla.org/en-US/firefox/addon/webpg-firefox/?src=search


FYI:
This article will explore the differences between PGP, OpenPGP, and GPG (GNU Privacy Guard), offering brief histories of their creations and summaries of their capabilities.
http://blog.goanywhere.com/2013/07/18/openpgp-pgp-gpg-difference/

Difference Between PGP and GPG
http://www.ehow.com/facts_7201163_pgp-encryption.html#ixzz26DXDNpJy

Hope this helps ...

=============================================================================================
On a Side note: The problems I was having when I tried to run any of the "gpg" commands, was not due to typographical errors, like double dash vs single dash, I was getting errors because of a corrupt "gpg.conf" configuration file.

gpg --gen-key
Resulted in:
gpg: .gnupg/gpg.conf:244: argument not expected
gpg: .gnupg/gpg.conf:245: invalid option


I had to delete the hidden folder "/home/username/.gnupg/", and re-run the console terminal command to create my personal key, "gpg --gen-key", or run the GUI "gpa", or "KGpg" (KDE), program from the desktop, then it all worked perfectly. (might have been able to just delete the "gpg.conf" file instead of the whole folder (directory).)

I was already using OpenPGP through "Kleopatra" for email and other communications. I had to setup "GPG" for use with this disk image verification process.
===============================================================================================
Last edited by phd21 on Fri Oct 07, 2016 11:06 am, edited 6 times in total.
Phd21: Mint KDE 17.3 & 18.2, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,3gb Ram,160gb hdd, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
phd21
Level 13
Level 13
Posts: 4913
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: How to verify Linux Mint .iso file

Postby phd21 » Mon Aug 15, 2016 7:42 pm

Hi Everyone,

I updated this post on 08-15-2016 to include more information. :)
Phd21: Mint KDE 17.3 & 18.2, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,3gb Ram,160gb hdd, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

o-l-d
Level 2
Level 2
Posts: 79
Joined: Sun Sep 25, 2016 1:19 am

Re: How to verify Linux Mint .iso file

Postby o-l-d » Sat Feb 18, 2017 10:11 am

You can also use a feature built in to Dolphin in Linux Mint 18.1 KDE. Copy and save the checksum from the site where you downloaded the file, program, iso,etc, to text editor. When the download finishes open Dolphin and go to the directory where the file was downloaded and right click on it. On the drop down menu click on Properties at the bottom. Click on the Checksums tab and paste the checksum you saved in the blank space for it. Click on the proper checksum button and Dolphin will hash and check to see if checksum matches. If it does you will get a green bar and a confirmation that hash matches the value you entered. If it doesn't then you will receive a warning and the bar will be orange/red.


Return to “Tutorials”