How to verify the ISO image on Windows

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Locked
gm10

How to verify the ISO image on Windows

Post by gm10 »

Since the image file verification remains an issue for many Windows users, here's a detailed guide on how to do it on Windows. This guide assumes you do not have the Windows Subsystem for Linux installed on Windows 10, because then it would be easier for you to simply use the verification instructions for Linux via WSL.

Preparation
  1. First follow the steps in the "Preparation" section of https://linuxmint.com/verify.php for the version you downloaded. It is essential that at step 3 you follow the instruction to right click the links and select to Save as...(exact wording varies depending on your browser, e.g. Save Link As... in Chrome and Firefox). Left clicking the files and saving the contents in other ways will lead to authentication failure.

    Note that it does not matter where exactly you put the files as long as they are all in the same folder and keep their original names.
  2. Then browse to https://www.gnupg.org/download/index.html and download and install the Windows installer for GnuPG. It is this download:

    Image

    For the purposes of this guide it does not matter whether you install the program as administrator or not, so just click yes to install to install without administrator rights if it asks you.
  3. Now find the folder containing the files you downloaded in the first step, hold Shift while right-clicking it (the folder, not the files in it). Select to open a command window:

    Image

    Depending on your version of Windows it is also possible that the option is called like this:
    Image
    Use whichever you've got available but if you used the PowerShell option then type cmd followed by Enter into the window.
Integrity Check
  • Type this command into the command window while replacing the filename.iso part with the actual name of the .iso file you downloaded:

    Code: Select all

    CertUtil -hashfile filename.iso SHA256
    Note that if you start typing a filename you can press Tab to automatically complete it.

    Press Enter to run the command. This will take a little while to complete and eventually present you with an alphanumeric sequence that is called a hash. If this hash is identical to the one listed in your sha256sum.txt then the integrity check passed. You can compare them by hand (note that some Windows text editors will not display the line breaks in that document so it may look weirdly formatted) or better use the find command.
    .
  • Here's a screenshot of the complete sequence of commands (don't mind the folder location on my system):

    Image
    .
    If the same hash is not found in sha256sum.txt then your downloaded .iso did not pass the integrity check. Make sure you downloaded the correct sha256sum.txt and if yes, try to download the .iso again from a different mirror server. Then check the integrity again.
    .
  • On older versions of Windows, the CertUtil command does not exist. Instead it is recommended to install the 7-Zip archiver, then find and right-click the .iso file your downloaded in Windows Explorer and select 7-Zip's CRC SHA option to calculate the SHA 256 hash, which must then compare to the one from the sha256sum.txt file yourself.
  • Never install from an .iso that failed the integrity check.

Authenticity Check

For the authenticity check we use the same commands as described on https://linuxmint.com/verify.php:
  1. Copy & paste this command into the command window and press Enter to run it:

    Code: Select all

    gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    For some users this fails with a keyserver or network error, in that case (and only then) please try this variant instead:

    Code: Select all

    gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    or this one:

    Code: Select all

    gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    If it's failing on all of those, then as a workaround you can manually download the key fromthis link with your web browser, save the page to a file in the same folder as everything else. Assuming you saved the file with the name lookup.txt, you would then run this command to import the key

    Code: Select all

    gpg --import lookup.txt
  2. Now copy & paste this command into the command window and press Enter to run it:

    Code: Select all

    gpg --verify sha256sum.txt.gpg sha256sum.txt
  3. The output from those two commands will look something like this (don't worry if it looks slightly different, the only relevant part is listed below the screenshot):

    Image
    .
    As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" and with a fingerprint matching the one shown above and that you used to download the key, then that means your download is authentic. In case it was tampered with the message would be BAD signature from ....

    You can ignore the warning that comes after that, it is expected and perfectly normal.
Finally
Last edited by gm10 on Thu Jan 23, 2020 2:09 pm, edited 22 times in total.
User avatar
JoeFootball
Level 13
Level 13
Posts: 4682
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: How to verify the ISO image on Windows

Post by JoeFootball »

Well done! :)

Joe
Starkman

Re: How to verify the ISO image on Windows

Post by Starkman »

This helps, but I think it needs some tweaking.

1.) The reference to https://linuxmint.com/verify.php leads one to click on their version to download. Doing so tells them to download two files: a .txt and a .gpg. Sadly, these files cannot be downloaded by a Windows user.

2. Regardless of whether one holds Shift or not while clicking either of these three files, the option to open a Command line in Windows does not appear; a PowerShell window may open if one right-clicks the open area in the folder, but that's about it.

Otherwise, the instructions we easy to follow.

Thanks.
User avatar
karlchen
Level 23
Level 23
Posts: 19080
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen »

Hello, Starkman.

Ad 1.)
Of course, the 2 files sha256sum.txt and sha256sum.txt.gpg, can be downloaded even by poor Windows users. Provided they know that right-clicking on a link and selecting "Save As ..." from the context menu will work on Windows as well. :wink:

Ad 2.)
Misunderstanding on your side: gm10 tells to hold the shift key and right-click on the folder where you saved the 2 files mentioned above and the ISO image file.
gm10 wrote: Thu Mar 28, 2019 5:02 pmNow find the folder containing the files you downloaded in the first step, hold Shift while right-clicking it. Select to open a command window:
Regards,
Karl
Image
The people of Alderaan have been desperately fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 960 days now.
Might Just Take Your Life
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

Starkman wrote: Fri Mar 29, 2019 10:31 am This helps, but I think it needs some tweaking.

1.) The reference to https://linuxmint.com/verify.php leads one to click on their version to download. Doing so tells them to download two files: a .txt and a .gpg. Sadly, these files cannot be downloaded by a Windows user.

2. Regardless of whether one holds Shift or not while clicking either of these three files, the option to open a Command line in Windows does not appear; a PowerShell window may open if one right-clicks the open area in the folder, but that's about it.
Thanks for the feedback. Good point regarding PowerShell, I amended the guide with that. It already said you were supposed to right click the folder, not the files though (I made it even clearer).

Regarding your 1), I am linking there exactly for the reason that I want the user to download those two files. As karlchen said, there is no problem with downloading them on Windows. If you explain your trouble with that I'm sure we can help you out.
Starkman

Re: How to verify the ISO image on Windows

Post by Starkman »

Karl,

Okay, you got me on the right-click > Save Link As... I am no "poor" windows user, but I have to say I have never tried (nor needed to try) clicking a "link" to download it as a file, thinking that I could choose Save Link As a file instead of...a LINK, not a file (after all, it is a link, not a file). This is the first time that I can recall ever coming across this So, you got me there. But hey, we all learn something new here and there, do we not?

Thanks.
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

Starkman wrote: Fri Mar 29, 2019 11:01 am Okay, you got me on the right-click > Save Link As... I am no "poor" windows user, but I have to say I have never tried (nor needed to try) clicking a "link" to download it as a file, thinking that I could choose Save Link As a file instead of...a LINK, not a file (after all, it is a link, not a file). This is the first time that I can recall ever coming across this So, you got me there. But hey, we all learn something new here and there, do we not?
We understand, it's why we explicitly state in the instructions to right-click, I'm not sure we can make that clearer. Maybe we'll end up having to bold and underline it. ;)
Starkman

Re: How to verify the ISO image on Windows

Post by Starkman »

I was so sure I read it to right-click a file, not a folder. And this after I just got new glasses! And, to boot, there's no more beer in the fridge to numb me after this horrible, embarrassing ordeal: that I can right click a LINK, for pete's sake, and save it as a file. Who knew!

Thanks much.
Raging Beaver

Re: How to verify the ISO image on Windows

Post by Raging Beaver »

When I try to execute this command:

Code: Select all

gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"
I get this error message:

Code: Select all

gpg : The term 'gpg' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+  gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B15 ...
+  ~~~
    + CategoryInfo          : ObjectNotFound: (gpg:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

Raging Beaver wrote: Wed Apr 03, 2019 8:44 am Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.
Sounds like you didn't install GnuPG (step 2 of the Preparation section).
Raging Beaver

Re: How to verify the ISO image on Windows

Post by Raging Beaver »

gm10 wrote: Wed Apr 03, 2019 9:11 am
Raging Beaver wrote: Wed Apr 03, 2019 8:44 am Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.
Sounds like you didn't install GnuPG (step 2 of the Preparation section).
Oh. I had the installer downloaded but I guess I forgot to do anything with it. Thanks.
Maxmagicbanana

Re: How to verify the ISO image on Windows

Post by Maxmagicbanana »

So I got the first few step good but whe nI went to verified the iso with the last command it showed me this line

Code: Select all

PS C:\Users\maxmagicbanana\Desktop\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory
SO I'm not to sure how to get it to work.
User avatar
karlchen
Level 23
Level 23
Posts: 19080
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen »

Hi, Maxmagicbanana.

Code: Select all

PS C:\Users\maxmagicbanana\Desktop\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory
You have verified that both files, sha256sum.txt.gpg and sha256sum.txt, are located in the same folder, in folder C:\Users\maxmagicbanana\Desktop\Linux?

Regards,
Karl
Image
The people of Alderaan have been desperately fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 960 days now.
Might Just Take Your Life
Maxmagicbanana

Re: How to verify the ISO image on Windows

Post by Maxmagicbanana »

Yes all the files are in the same folder.
jhglmforums

Re: How to verify the ISO image on Windows

Post by jhglmforums »

Hello,

I get "gpg: could not parse keyserver URL" at step 1) of the authenticity check.

Joe
User avatar
xenopeek
Level 25
Level 25
Posts: 30262
Joined: Wed Jul 06, 2011 3:58 am

Re: How to verify the ISO image on Windows

Post by xenopeek »

There was a typo in this command:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

Was that the one giving you an error? Try again with above command. I also fixed it in the first post in this topic.
Image
jhglmforums

Re: How to verify the ISO image on Windows

Post by jhglmforums »

xenopeek wrote: Fri Apr 12, 2019 3:03 pm There was a typo in this command:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

Was that the one giving you an error? Try again with above command. I also fixed it in the first post in this topic.
Yup, that was it! Thanks for updating the tutorial.

Joe
monotoned

Re: How to verify the ISO image on Windows

Post by monotoned »

This is a really dumb question, but how do you use the find command? I typed: find "copied and pasted hash here" sha256sum.txt and got FIND: Parameter format not correct. However it matches when I do ctrl+f directly in the text file itself. Sorry about something so basic as this, I'm a long-time windows user trying to make a switch. Thank you in advanced!
User avatar
karlchen
Level 23
Level 23
Posts: 19080
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen »

Hello, monotoned.

The Windows find command is used to find strings inside text files.
The Linux find command, however, is used to find files or directories, based on various search criteria. It does not look for strings inside text files.
The Linux command grep is what corresponds to the Windows find command.

More details on Linux find and grep:

Code: Select all

find --help
man find

grep --help
man grep
HTH,
Karl
Image
The people of Alderaan have been desperately fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 960 days now.
Might Just Take Your Life
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

karlchen thx but this is a guide for Windows so the Linux command really doesn't matter in this context. ;)
monotoned wrote: Sat Apr 13, 2019 8:32 am This is a really dumb question, but how do you use the find command? I typed: find "copied and pasted hash here" sha256sum.txt and got FIND: Parameter format not correct.
Not a dumb question at all but a shortcoming of my guide actually. Thanks for bringing this to my attention.

I had originally not written it with PowerShell in mind, was reminded of it later in this thread but didn't consider the implications for the find command. In PowerShell you'd need to use triple quotes """hash""". I'll adjust the guide to make everybody use cmd.exe, it's simpler.

Your Ctrl+F manual check is completely sufficient though so you do not need to do it again, using find was meant to simplify things, not complicate them as happened here. ;)
Locked

Return to “Tutorials”