Preparation
- First follow the steps in the "Preparation" section of https://linuxmint.com/verify.php for the version you downloaded. It is essential that at step 3 you follow the instruction to right click the links and select to Save as...(exact wording varies depending on your browser, e.g. Save Link As... in Chrome and Firefox). Left clicking the files and saving the contents in other ways will lead to authentication failure.
Note that it does not matter where exactly you put the files as long as they are all in the same folder and keep their original names. - Then browse to https://www.gnupg.org/download/index.html and download and install the Windows installer for GnuPG. It is this download:
For the purposes of this guide it does not matter whether you install the program as administrator or not, so just click yes to install to install without administrator rights if it asks you. - Now find the folder containing the files you downloaded in the first step, hold
Shift
while right-clicking it (the folder, not the files in it). Select to open a command window:
Depending on your version of Windows it is also possible that the option is called like this:
Use whichever you've got available but if you used the PowerShell option then typecmd
followed byEnter
into the window.
- Type this command into the command window while replacing the filename.iso part with the actual name of the .iso file you downloaded:
Note that if you start typing a filename you can press Tab to automatically complete it.
Code: Select all
CertUtil -hashfile filename.iso SHA256
PressEnter
to run the command. This will take a little while to complete and eventually present you with an alphanumeric sequence that is called a hash. If this hash is identical to the one listed in yoursha256sum.txt
then the integrity check passed. You can compare them by hand (note that some Windows text editors will not display the line breaks in that document so it may look weirdly formatted) or better use thefind
command.
. - Here's a screenshot of the complete sequence of commands (don't mind the folder location on my system):
.
If the same hash is not found insha256sum.txt
then your downloaded .iso did not pass the integrity check. Make sure you downloaded the correctsha256sum.txt
and if yes, try to download the .iso again from a different mirror server. Then check the integrity again.
. - On older versions of Windows, the CertUtil command does not exist. Instead it is recommended to install the 7-Zip archiver, then find and right-click the .iso file your downloaded in Windows Explorer and select 7-Zip's CRC SHA option to calculate the SHA 256 hash, which must then compare to the one from the
sha256sum.txt
file yourself. - Never install from an .iso that failed the integrity check.
Authenticity Check
For the authenticity check we use the same commands as described on https://linuxmint.com/verify.php:
- Copy & paste this command into the command window and press
Enter
to run it:For some users this fails with a keyserver or network error, in that case (and only then) please try this variant instead:Code: Select all
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
or this one:Code: Select all
gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
If it's failing on all of those, then as a workaround you can manually download the key fromthis link with your web browser, save the page to a file in the same folder as everything else. Assuming you saved the file with the nameCode: Select all
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
lookup.txt
, you would then run this command to import the keyCode: Select all
gpg --import lookup.txt
- Now copy & paste this command into the command window and press
Enter
to run it:Code: Select all
gpg --verify sha256sum.txt.gpg sha256sum.txt
- The output from those two commands will look something like this (don't worry if it looks slightly different, the only relevant part is listed below the screenshot):
.
As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" and with a fingerprint matching the one shown above and that you used to download the key, then that means your download is authentic. In case it was tampered with the message would be BAD signature from ....
You can ignore the warning that comes after that, it is expected and perfectly normal.
- If your .iso passed both the integrity and the authenticity checks you can use it to create an installation medium now: https://linuxmint-installation-guide.re ... /burn.html