How to verify the ISO image on Windows

[gm10]

I give up.

Sorry I couldn't help. Fingers crossed your installation goes more smoothly.

[havemercyonme]

It worked, but the solution was purely accidental. I already had the original gpg file in the folder, so when I went to save the new one, I wanted to keep the original, so I named the one I was saving with the number 1 in it, and it saved correctly. Thanks for all of your help.

I've test-driven Linux live, and I found navigating it very sweet, so I'm looking forward to getting it installed.

I can't believe how easily I could install my HP printer which has a ridiculously large driver that takes such a long time to install on a Windows. I think I'm up to the challenge of learning a new system.

Be well.

Code: Select all

C:\Users\Nancy\Desktop\ISO>gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 12/17/18 11:58:03 Pacific Standard Time
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

[LCintheSky]

I am trying to do the authenticity check. I've installed GPG, and when I shift-right click on the "gnupg" folder to open the command prompt, and type "gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"," I get the response "gpg: keyserver receive failed: Server indicated a failure." What does that mean, and how can I fix it? Thank you!

[gm10]

I am trying to do the authenticity check. I've installed GPG, and when I shift-right click on the "gnupg" folder to open the command prompt, and type "gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"," I get the response "gpg: keyserver receive failed: Server indicated a failure." What does that mean, and how can I fix it? Thank you!

It's a network issue. Server seems up though, so try it like this:

Code: Select all

gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

and if that still doesn't work, try like this:

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

Let me know which one worked (hopefully one of them did).

[LCintheSky]

Thank you, gm10, for the quick response! Unfortunately, neither one of those worked. I still get the same message. I'm running Windows 7, if that makes a difference.

[gm10]

Thank you, gm10, for the quick response! Unfortunately, neither one of those worked. I still get the same message. I'm running Windows 7, if that makes a difference.

You could try to reboot and then try the command again, we've seen gpg sometimes get "stuck" for a while, but otherwise I do unfortunately have no good advice at this point. If you cannot get it to work and are willing to take my word for it, here's are the authenticated contents of the file for LM 19.1, you can use those or compare with what you downloaded - next best thing to authenticating yourself :

Code: Select all

b580052c4652ac8f1cbcd9057a0395642a722707d17e1a77844ff7fb4db36b70 *linuxmint-19.1-cinnamon-32bit.iso
bb4b3ad584f2fec1d91ad60fe57ad4044e5c0934a5e3d229da129c9513862eb0 *linuxmint-19.1-cinnamon-64bit.iso
ca86885e2384373f8fbb2121e2abb6298674e37fc206d3f23661ab5f1f523aba *linuxmint-19.1-mate-32bit.iso
5bc212d73800007c7c3605f03c9d5988ad99f1be9fc91024049ea4b638c33bb4 *linuxmint-19.1-mate-64bit.iso
039d619935c2993e589705e49068a6fa4dc4f9a5eb82470bc7998c9626259416 *linuxmint-19.1-xfce-32bit.iso
7b53b29a34cfef4ddfe24dac27ee321c289dc2ed8b0c1361666bbee0f6ffa9f4 *linuxmint-19.1-xfce-64bit.iso

Code: Select all

$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Mon 17 Dec 2018 08:58:03 PM CET
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [full]

[deck_luck]

Concerning the "Authenticity Check" I am curious why are you using the hkp verses the hkps protocol. The khps over https should obviate the man in the middle attack unless someone uses a proxy. Isn't the authenticity check a way to detect a man in the middle hijacking.

Reference:

hkp://keyserver.ubuntu.com:80
vs.
hkps://keyserver.ubuntu.com:443

[LCintheSky]

Thank you!

[gm10]

Concerning the "Authenticity Check" I am curious why are you using the hkp verses the hkps protocol. The khps over https should obviate the man in the middle attack unless someone uses a proxy. Isn't the authenticity check a way to detect a man in the middle hijacking.

Actually it was saying hkps for the reason you mentioned, I had only edited it back to hkp earlier thinking that might have been LCintheSky's issue (there had been somebody else in the thread having trouble with the hkps version for some reason). I put it back to hkps now. Wish I knew why some are having trouble with the key download... I could explain how to download the ascii armored version via the web interface and add that but I fear that would complicate things too much...

For the Linux instructions it is not saying hkps because there are some Linux distributions out there apparently which compile GnuPG without SSL/TLS support (don't ask me...).

[polarvortex]

Maybe this will help shed light on why some are having trouble with the key download?

Code: Select all

C:\Users\username\Downloads\iso>gpg --keyserver hkps://keyserver.ubuntu.
com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: requesting key A25BAE09 from hkps server keyserver.ubuntu.com
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper internal error
gpg: keyserver communications error: General error
gpg: keyserver receive failed: General error

C:\Users\username\Downloads\iso>gpg --keyserver keyserver.ubuntu.com --r
ecv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" 20 new sign
atures
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: Total number processed: 1
gpg:         new signatures: 20

C:\Users\username\Downloads\iso>

The first command is from the tutorial and the second command is from a few posts up.

The output of the second command looks almost completely different than in the tutorial. Was it a success?

[gm10]

The output of the second command looks almost completely different than in the tutorial. Was it a success?

Yes, you're good.

Also thanks for the info. I'll just add all 3 variants to the OP, this is getting silly. I'm thinking that Ubuntu may have some servers in the pool that have ports 80 and 443 disabled. The variant you successfully used uses port 11371 - which unfortunately is blocked in many networks, that's why I do not list it as the default.

[polarvortex]

Yes, you're good.

Thanks

And thanks for the great tutorial.

I got stuck on step 1 of the Authenticity Check part of the tutorial because my output was too different than that seen in the tutorial.

To address that for future readers of the tutorial, I suggest that you add something like this to the end of step 1 of the authenticity check:

The command was successful if the output includes:
"Linux Mint ISO Signing Key <root@linuxmint.com>"
and
Total number processed: 1

(That is, if that is a true statement? I think it is?)

[gm10]

To address that for future readers of the tutorial, I suggest that you add something like this to the end of step 1 of the authenticity check:

The command was successful if the output includes:
"Linux Mint ISO Signing Key <root@linuxmint.com>"
and
Total number processed: 1

But that's what the screenshot in that section already shows?

[polarvortex]

But that's what the screenshot in that section already shows?

It also shows keybox created, trustdb created, and it says Mint key imported. But my output didn't show any of those things. For all I knew, those might be important things that my command failed to do.

Also my output says 20 new signatures, but the tutorial screenshot doesn't. Makes me think "what is this 20 signatures? I thought I only needed 1, maybe this thing messed up and didn't work properly?"

Also my output says 3 marginals needed, 1 completes needed. Needed? Does that mean it didn't get them? (Considering I have almost no clue what this stuff means ) And it has these lines about depth, valid, signed, trust, with weird 0f, 0q things. Maybe it got off the rails and didn't work properly? Because the screenshot in the tutorial shows nothing like that...

[gm10]

But that's what the screenshot in that section already shows?

It also shows keybox created, trustdb created, and it says Mint key imported. But my output didn't show any of those things. For all I knew, those might be important things that my command failed to do.

Ah, it would only show those the first time you run gpg. If you didn't get that then you already had gpg installed and run before. That also explains the other discrepancies. My screenshot is based on a clean, first time install of gpg.

But I get your point. It already says "something like this" but I'll make that even clearer.

[polarvortex]

Ah. I assumed the discrepancies were from using different versions of windows, or perhaps the slightly different gpg --keyserver commands.

In which case I figured that a big chunk of users would have different outputs and benefit from my slightly clearer instructions suggestion.

But if it's just because I ran gpg before, and I'm sure you are right about that, then I'm guessing that 99% of the people who would be using this tutorial would get the exact same output as shown.
I think I still made a valid point, just an insignificant one.

I've never installed the specific gpg install from this tutorial so I didn't make the connection, but now that I think of it, I did install gpg as part of gpg4win when I wrote a gui version of this same tutorial topic a couple years ago. Back then I wrote "There's got to be a simpler, better way to do this complete process (and there might be and I look forward to learning it if there is)". I'm so glad you wrote this tutorial, because the gui process was so long, and actually a bit problematic.
And this new tutorial is linked on the website verify page! Such a leap forward from the last time I was trying to do this, and ended up cobbling together the tutorial myself because it didn't exist back then

[gm10]

I'm so glad you wrote this tutorial, because the gui process was so long, and actually a bit problematic.

Yep, I originally wanted to go with the GUI because, well, command line is scary for Windows users, but going with the command line ended up being so much shorter and reliable so I went with that. Although the GUI has the advantage of just having to click on the file I guess.

And this new tutorial is linked on the website verify page! Such a leap forward from the last time I was trying to do this, and ended up cobbling together the tutorial myself because it didn't exist back then

Well, I was part of the Mint dev team at the time I created this as well as some other changes to the verify page, so I had an "unfair" advantage over you there.

[Magnesium]

When I try to do the integrity check steps I get this:

Code: Select all

C:\>CertUtil -hashfile linuxmint-19.1-cinnamon-64bit - Copy.iso SHA256
Expected no more than 2 args, received 4
CertUtil: Too many arguments

Usage:
  CertUtil [Options] -hashfile InFile [HashAlgorithm]
  Generate and display cryptographic hash over a file

Options:
  -Unicode          -- Write redirected output in Unicode
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -pin PIN                  -- Smart Card PIN
  -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
            22 -- Local System
            23 -- Local Service
            24 -- Network Service

Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

CertUtil -?              -- Display a verb list (command list)
CertUtil -hashfile -?    -- Display help text for the "hashfile" verb
CertUtil -v -?           -- Display all help text for all verbs

Anyone know what i'm doing wrong?

[karlchen]

Simple rule, can be applied on Windows as well as on Linux:
On the commandline file names / directory names, which include space characters, have to enclosed in double quotes.
Try the commandline like this:
CertUtil -hashfile "linuxmint-19.1-cinnamon-64bit - Copy.iso" SHA256

[astroannie]

I'm getting this message:

Code: Select all

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

I'm expecting this is not a pass. After several BAD ISO's I'm trying for a good.