How to verify a Linux Mint 18 ISO image on Windows

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
polarvortex

How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

Steps to verify a Linux Mint 18 ISO image on Windows:

- Browse to the main mirror or a mirror near you and browse to the stable/18/ folder (for example, https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18/ ).

- If you haven't already downloaded your iso, download it now.

- Download sha256sum.txt and sha256sum.txt.gpg to the same folder as your iso (you will need to right click on them and Save Link As...)

- Now you need to download and install Gpg4win from https://www.gpg4win.org/
During the installation, the only components you need to install are GnuPG and Kleopatra.

- Run Gpg4win Kleopatra as administrator (right click on the shortcut to Kleopatra and choose "Run as administrator"). It has to be run as administrator or it will fail in writing a text file in a step later on below.

- In the menu, choose Settings > Configure Kleopatra...

- In the Configure window, press New. (This automatically adds the default certificate server keys.gnupg.net)

- Click OK

- In the menu, choose File > Lookup Certificates on Server...

- Type "Linux Mint ISO" and click Search. It will find the Linux Mint ISO Signing Key, A25BAE09.
(If you click on Details, you can compare it with the key details at the top of https://linuxmint.com/verify.php Image )

- Select the Linux Mint ISO Signing Key and click Import. Click OK on the result window. Now you will see the Linux Mint ISO Signing Key in the main Kleopatra window.

- Right click on the Linux Mint ISO Signing Key and choose "Change Owner Trust"

- Click on the "I believe checks are very accurate" radio button, and then click OK. Click OK on the change success box. (We can trust this key because we already manually compared the key details to the mint website above and saw they are identical.)

- Now we need to create our own certificate so that we can certify the mint certificate. In the menu, choose File > New Certificate. This opens up a Certificate Creation Wizard. Choose "Create a personal OpenPGP key pair"

- Fill in a name and email.
(Note: as far as I can tell, nothing is actually done with this name and email since we won't be choosing the options to publish or share the certificate. We will only be using it locally. So it should work equally well with real or fake name and email.)

- Click Next. Then click Create Key. Now you need to enter a passphrase - this is a new passphrase that you are creating right now. Note that you need to remember this passphrase for later.

- Click Ok and re-enter it and click Ok.

(You can Make a Backup Of Your Key Pair to a file if you want, but you won't need it for this, and I don't know what you'd need it for...)

- Click Finish.

- Now in the main Kleopatra window, right click on the Linux Mint ISO Signing Key and choose Certify Certificate...

- check the box of the cert we want to certify, "Linux Mint ISO Signing Key"

- check the box "I have verified the fingerprint"
(We can manually verify it by comparing it to the mint website Image )

- Click Next

- Choose "Certify only for myself", and click Certify.

- Enter your passphrase and click OK.

- Click Finish.

- In the menu, choose File > Decrypt/Verify Files... and browse to the sha256sum.txt.gpg you downloaded earlier and click Open.

- Now, in the Decrypt/Verify Files window, check the box "Input file is a detached signature" and then press the blue icon open button for the Signed data field to add the other file, sha256sum.txt, to the field.

- Click the "Decrypt/Verify" button, and you will see "All operations completed", and the green "sha256sum.txt.gpg: Signed by root@linuxmint.com".
Image

- Click OK.


Note: At this point you have verified that the sha256sum.txt file is in fact signed with the Linux Mint ISO Signing Key; that it has been published by the Linux Mint team. The sha256sum.txt, which we can now trust, contains the sha256sums that we will now use to check the integrity and authenticity of the ISO you downloaded.


- in the menu, choose Settings > Configure Kleopatra..., then click on "Crypto Operations". Then click on the "File Operations" tab and then in the dropdown change the Checksum program to use to sha256sum. Click OK.


Note: If you want to verify your iso multiple times, or if tomorrow you download a different edition of Mint 18 (xfce, mate, etc), you don't have to do the above steps again. You can just do the steps below next time.


- In the menu, choose File > Verify Checksum Files... and choose the sha256sum.txt file that you downloaded at the beginning of the tutorial, and click Open. The Verify Checksum Results window will show, and you will see a progress bar as it takes a few moments to verify.

Now you will see your linux mint iso file highlighted either in green or red (you may need to scroll to find it if you have a lot of files in that folder). If it's red it failed to verify; your iso file is corrupt. If it's green, you will still see that it says "One error occurred".

Image

- Click on the Show button to see the full error.

If the error is "can't open file, No such file", and it lists 7 iso files that you don't have, and it says "Warning: 7 of 8 listed files could not be read", then that is OK and normal. (If you want to know what's up with that, you can read the detailed explanation at the end of this post.) You have successfully verified the integrity and authenticity of the ISO image, and you are done. Click Close. And exit Kleopatra.

But, if the error is "Failed to execute C:/(your path to)/sha256sum.exe: Process operation timed out", or possibly some other error, then even though your iso file is highlighted in green I don't think we can be sure that it worked. In this case, try doing the Verify Checksum Files step again and see if it works this time...


If you used this tutorial on Windows XP please reply to the thread and let me know how it went. Were there any differences in how it goes on XP? Does it even work at all? Thanks! So far I know it works on all versions of Windows from Vista to 10.


---
Extra details for people who want to understand the "can't open file, No such file" error:

sha256sum.txt contains 8 different checksums, one for each of the 8 editions of Mint. So in the Verify Checksum Files step above, Kleopatra tries to look for eight different iso files, one for each edition of Mint, and verify those iso's against the checksums it has. You probably only downloaded one iso, so Kleopatra can't find the other ones, so it says an error occurred. If you click the Show button you can see the full error. It says error, can't open file, no such file, and it lists 7 iso files that you don't have. Then it says Warning: 7 of 8 listed files could not be read. It doesn't say anything about the 8th file that it was able to read. We know it read it (assuming you didn't get any other weird error messages that I've never seen yet), because it shows the file in green in the results window.

You could 'fix' this 'error' either by downloading all eight of the iso files, or by editing the sha256sum.txt file to remove the lines for the iso's that you don't have. But it's much better to just understand that it's not a real error and it doesn't need to be 'fixed'.

If the checksum verification fails, it will also say "One error occurred" - it's the same error where it's not able to open the missing iso files. But your iso file will be listed in red. When you click on the Show button, it will also have the Warning, 7 of 8 listed files could not be read, but it will have another Warning, 1 of 1 computed checksums did not match.
Last edited by polarvortex on Wed Dec 14, 2016 5:34 pm, edited 9 times in total.
J2b2

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by J2b2 »

Thank you polarvortex for the tutorial. Before seeing seeing the threads on this topic of verifying the Linux ISO in MSWindows I had given up out of utter frustration for not knowing how to go about performing the steps to verify the ISO image.
kbwoodworker

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by kbwoodworker »

Thank you! It worked flawlessly! I had given up on Mint 18, since I am downloading into a Windows computer in order to burn the ISO to a disk.
User avatar
jungle_boy
Level 7
Level 7
Posts: 1812
Joined: Thu Aug 19, 2010 2:51 pm
Location: Amazon Rainforest

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by jungle_boy »

Samsung Odyssey, Octa-core, i5 9300H, Geforce GTX 1650, 16GB RAM, SSD SAMSUNG NVMe 500GB
LM 21 Cinnamon
kbwoodworker

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by kbwoodworker »

jungle_boy wrote:Or try this...

viewtopic.php?f=42&t=225855
There wasn't anything on there much about the signing key, jungle_boy (if using Windows). It seemed to just deal with one part of the process for Windows users. That was the part I already knew how to do. The reason they added the signing key was in response to security issues. So, it's worth it to go through the process, step-by-step in order to make sure it is a secure download.

I also appreciated learning some things about signing (encryption) keys. I needed a stepbystep process to do so.
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by rene »

Thanks for posting this; very useful. However, I was offline for a bit so pardon the belated comment but there does appear to be an issue with the last two steps as posted:
polarvortex wrote: - In the menu, choose File > Create Checksum Files... and choose the mint linux iso file. It will create the file sha1sum.txt in the same folder as your mint iso. Click OK.

- In the menu, choose File > Verify Checksum Files... and choose the sha1sum.txt file (which is in the same folder as your mint iso) and click Open. You will see a progress bar as it takes a few seconds to verify, and then if all goes well it will say "No errors occurred" and you will see your linux mint iso file highlighted in green (you may need to scroll to find it if you have a lot of files in that folder). If so, then you have successfully verified the integrity and authenticity of the ISO image.
Although I haven't verified (not being a Windows user) you in the first of these two steps create a file sha1sum.txt containing a checksum of the iso but would from this description appear to then in the next step only verify the just created checksum contained in that sha1sum.txt file against the iso again. Certainly these are going to match: it just created said checksum.

What needs doing is verifying the by Kleopatra generated checksum against the one in the downloaded sha256sum.txt file. In this, I assume the "sha1sum" versus "sha256sum" to be a naming difference only; can't verify right now, but if there's also an actual difference between used hashing algorithms, you'd also need to get Kleopatra to in fact generate a "sha256sum".

As written and as interpreted by me, it seems that with the current two steps in the end nothing is in fact verified (other than Kleopatra's ability to generate the same "sha1sum" from the same iso twice in a row).
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

tl;dr: I fixed it :)

Rene, thanks for checking the tutorial. I knew it needed checking as I mentioned in the thread that led to this. I didn't understand this stuff very well. I understand it more now.

You're right, those last couple of steps were totally wrong. I think that I thought what it did was create the sum from the iso, and then you were comparing that sum with the signing key that was already 'in kleopatra' or something. I was just piecing things together from things other people wrote and trying to figure out the blanks to fill them in, and not quite succeeding lol. In hindsight, it's pretty obvious that I just had it checking against the sum I just made *from it*, which is comically pointless :?

Anyhow, I have fixed the tutorial! It should be ok now?

The only changes are:
- at the very top I tell them to save the sha256sum.txt and sha256sum.txt.gpg to the same folder as their iso (otherwise Kleopatra won't find the iso)
The last page of the tutorial,
- added Change the checksum program Kleopatra uses to sha256sum
- removed the pointless creation of the sum file
- changed it so you compare the iso with the correct sum file
- changed my explanation of the results which are a bit different now that you're doing the correct thing
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by trytip »

or for 1.1MB download the free HashTab http://implbits.com/products/hashtab/
or for 85KB download HashCheck Shell Extension http://code.kliu.org/hashcheck/

installing gpg in windows just to verify an iso is a bit overkill
Image
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

trytip wrote:installing gpg in windows just to verify an iso is a bit overkill
Maybe so, but linuxmint.com tells users who are trying to download Mint to verify the ISO, and it tells them that the first step to do that is to verify the signature on the sha256sum. A windows user who cares about stuff like that and who doesn't think they know better than linuxmint.com is going to want these instructions. These are just the windows version of the instructions at https://linuxmint.com/verify.php
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by rene »

polarvortex wrote:Anyhow, I have fixed the tutorial! It should be ok now?
Yes, as far as I can judge without a Windows installation in front of me I believe it should. Once again many thanks for posting this; I expect it will be an oft referred to post.

Two minor additional comments:

Rather than a "throwaway" email address a fully fake one should supposedly do as well for this one-shot verification purpose. And in fact, while I myself also suggested generating a personal key pair in the Linux-based walkthroughs I posted here and there, that was in that case due to wanting to mention the possibility of signing the imported Mint key with one's personal key to avoid the "This key is not certified with a trusted signature" warning that gpg on Linux gives (plus it being a way to guarantee that gpg was in fact set up for the user, plus not wanting to in fact too verbosely explain lest people still run away screaming from a process they feel convoluted). On Linux, generating a personal key pair is however not essential to the process...

In your case it seems you may need it basically just for the "Certify only for myself" choice that I see you mention? When I read the earlier step of having the option to set "I believe checks are very accurate" I assumed you wouldn't in fact need to personal key pair to in the gpg4win case avoid the equivalent warning. If you still feel inspired it might be nice to try and see if you can get cleanly through the process without any personal key pair on Windows as well.

Second, I believe that it might be useful to after the 'Click the "Decrypt/Verify" button' step be verbose about what has been done. I.e., something on the order of "At this point you have verified that the sha256sum.txt file in is fact signed with the Linux Mint ISO Signing Key; that it has been published by the Linux Mint team; that the sha256sums contained in it are the sha256sums of the ISO's as published by said team." Many users seem shaky as to the authentication/verification partitioning of the process, and I believe being verbose here might help.

Many thanks! Very useful post.
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

rene wrote:Rather than a "throwaway" email address a fully fake one should supposedly do as well
That's a good point. I originally used a throwaway email address (and the tutorial basically listed what I did) because I didn't know what the program was going to do with it, if it might send an email or that I might need to read that email. And I know that some users are reluctant to give their real email address to things if they don't have to. Now I think that it only uses the email address if you choose some options (some Publish thing) that the tutorial does not tell you to choose. So, as far as I know, you could put in your actual real email address, or a totally fake one, and it would be the same result since it's not used. So I have changed that point in the tutorial now.
rene wrote:When I read the earlier step of having the option to set "I believe checks are very accurate" I assumed you wouldn't in fact need to personal key pair to avoid the equivalent warning. If you still feel inspired it might be nice to try and see if you can get cleanly through the process without any personal key pair on Windows as well.
When I was doing the process I certainly thought that Trusting the signing key would have done the trick. But it doesn't. To be honest you might not even need to do the "Change Owner Trust" step. If you only do that step, and you don't do the certificate thing, it won't work. It will say "Not enough information to check signature validity" in a yellow warning. You could actually manually read the details and realize that it's ok, but, the average user who barely knows what this is about won't be able to tell it's ok, they will only see yellow failure warnings. To get the green success message you have to certify it.
rene wrote:Second, I believe that it might be useful to after the 'Click the "Decrypt/Verify" button' step be verbose about what has been done
I think it's fine without it because the user is seeing the messages in Kleopatra, but it couldn't hurt so I added a note.

Thanks for proofing the tutorial!
Don_Walker281

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by Don_Walker281 »

:D Thanks for this.
I followed your clear instructions all the way through the minefield and (with a couple of detours - my fault), came out the other end.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by Fred Barclay »

polarvortex wrote:
trytip wrote:installing gpg in windows just to verify an iso is a bit overkill
Maybe so, but linuxmint.com tells users who are trying to download Mint to verify the ISO, and it tells them that the first step to do that is to verify the signature on the sha256sum. A windows user who cares about stuff like that and who doesn't think they know better than linuxmint.com is going to want these instructions. These are just the windows version of the instructions at https://linuxmint.com/verify.php
Indeed, and please don't remove the GPG instructions! They're our final safeguard if someone hacks the Mint servers and links to malicious Mint downloads (as they did in February).

Congratulations on a very well-written tutorial, by the way! :)
(With your permission, I'd like to borrow some of it for https://fred-barclay.github.io/VerifyLinuxMint/. I don't have proper instructions for Windows yet.)

Cheers!
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

Feel free Fred, it was kludged together from various stuff I borrowed too, I just seem to be the first to put it together completely. I see one of the image links is already dead so I will have to fix that soon. Can you let me know if you have successfully used the tutorial on some version of windows, and what version that is? I should really confirm that it works on all main versions of windows, and I haven't done that yet, but I figured people would reply and let me know but nobody has yet.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by Fred Barclay »

Sure! I've got an XP and a Vista virtual machine, and a Windows 7 bare-metal machine (and I could possibly borrow a Windows 8.1 machine as well) so I'll test on all of 'em.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Wadeford

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by Wadeford »

Worked in Windows 10. Haven't made the boot media yet but the verification works!

Wade.
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

Thanks Wade
Last edited by polarvortex on Tue Dec 13, 2016 5:57 pm, edited 1 time in total.
eBird

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by eBird »

I can confirm this tutorial worked flawlessly in Windows 8.1.

Thank you for the detailed and careful explanations.
polarvortex

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by polarvortex »

I figured it would work I just wasn't sure if it would work flawlessly, so that's great, thanks for letting me know
Last edited by polarvortex on Wed Dec 14, 2016 5:01 pm, edited 1 time in total.
12characters

Re: How to verify a Linux Mint 18 ISO image on Windows

Post by 12characters »

It worked perfectly, I was using windows 7 ultimate. It was a long process, but you explained it very well. many thanks :)
Locked

Return to “Tutorials”