How to verify the ISO image on Windows

[JoeFootball]

I read online that if I download through a torrent I don't need to verify the ISO because Torrent does that automatically?

You're correct that you don't need to verify the integrity of the download as the torrent does that natively. That said, it speaks nothing to the authentication. But that's your call.

Also- I have been getting the gpg files from the link on this site. https://linuxmint.com/verify.php

Yes, that's where I got them as well, yet I'm unable to replicate the behavior that you're encountering.

From what I can tell there isn't a different gpg file from each mirror?

That's certainly the intent. And also why authentication is leveraged for confirmation.

[newling]

With all due respect to the herculean tutorial effort exerted by gm10 and contributions by others - the intractable complexity of this procedure leaves one contemplating perhaps to just risk the consequences of an unauthenticated/unintegritated install.

[JoeFootball]

... the intractable complexity ...

Speaking for myself, I don't see it that way. That said, I do concede that I don't use Windows.

... just risk the consequences of an unauthenticated/unintegritated install.

I'm quite sure that many do just that, be them Windows users or not. I'm not condoning it, but it's certainly an option. I suppose it's a personal preference on how much risk one is looking to accept.

[airfidget]

I'm getting CertUtil: Too many arguments error on the command prompt. Can someone help?

[JoeFootball]

Can someone help?

I'll bet it's the space in the file name that CertUtil doesn't like. Not sure why that's in there.

Regardless, try using quotes around the file name, or even better, rename the file so that it doesn't have spaces.

[LD Wyze]

Hi, scrivdog.

Note:

Windows CertUtil will display the sha256 checksum with space characters to make reading easier, like you had posted:
1c 4f 48 60 44 36 85 cd 29 f1 28 f5 6f 69 0f db 32 cc b5 79

The sha256sum.txt file, however, holds the checksum without the space characters. i.e. the checksum above would look like this:
1c4f4860443685cd29f128f56f690fdb32ccb579

Question:

Which Linux Mint installation ISO image file precisely did you download?
There is no Linux Mint Matte 64-bit.
There is, however, Linux Mint 19.2 64-bit.
The corresponding download file would be named linuxmint-19.2-mate-64bit.iso
Its checksum would be: 2c1d7912a8e57ccee222487687bab27164c76bd2598395507e461e8d23d381f8 *linuxmint-19.2-xfce-64bit.iso

Regards,
Karl

These details about the space characters might be very helpful if included in the original post.

[dixitnilesh]

I'm getting this , what shoulld i do ?


D:\iso>gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: key 300F846BA25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

D:\iso>gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 12/18/18 01:28:03 India Standard Time
gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

[deskelet]

Hello guys..

When I did verification on CMD, code is different, I used windows CMD and I ran these commands CertUtil -hashfile linuxmint-20-cinnamon-64bit.iso look:

SHA1 hash de linuxmint-20-cinnamon-64bit.iso:
------- edited, I remove SHA1 code posted here thanks for help MrEen

And here, is different: https://mirrors.evowise.com/linuxmint/s ... 256sum.txt

I downloded with torrent and after using global link, it's the same sha code... It's hacked?

[MrEen]

Hi deskelet, and welcome to the forum.

I'm not at all skilled at this stuff, but I can see you ran a SHA1 check, instead of the SHA256 check.

[deskelet]

Hi deskelet, and welcome to the forum.

I'm not at all skilled at this stuff, but I can see you ran a SHA1 check, instead of the SHA256 check.

Thanks bro!
Maybe I forgot to write SHA256 in final command, then because I pressed TAB, used to linux, in CMD he cut this last parameter. So, now I ran correctly, OMG, thank you so much !!!!!!!!

Go go Linux Mint

CertUtil -hashfile linuxmint-20-cinnamon-64bit.iso SHA256
SHA256 hash de linuxmint-20-cinnamon-64bit.iso:
2f6ae466ec9b7c6255e997b82f162ae88bfe640a8df16d3e2f495b6281120af9

[MrEen]

I'm glad it was such an easy thing to change. I hadn't even thought about autocomplete.

[JoeFootball]

gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

Try downloading the two SHA files again. Make sure they're both for the same version of LM that you're trying to authenticate. Make sure they're in the same directory that your executing the command from.

[hoff Jack M]

I too am getting a bad signature error:

Code: Select all

Linux Installs\Cinnamon 19.2\ISO>gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 07/29/19 11:43:47 Central Daylight Time
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

I have downloaded from several torrents and tried both 19.2 and 19.3 to see if it was an issue with a particular version. I have also downloaded fresh copies of the sha256sum.txt and sha256sum.txt.gpg, to no avail. Both versions continue to return a bad signature error.

[JoeFootball]

I have downloaded from several torrents ...

I would only use the official LM torrent, but I suppose that's a moot point if you can verify and authenticate the download.

I have also downloaded fresh copies of the sha256sum.txt and sha256sum.txt.gpg, to no avail. Both versions continue to return a bad signature error.

I can't duplicate this behavior. Where are you downloading them from? I just did so from ...

https://ftp.heanet.ie/pub/linuxmint.com/stable/19.3/

... with success ...

Code: Select all

$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Mon 16 Dec 2019 09:10:16 AM CST
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

Edit: Are you using Windows antivirus software? I've heard that some will "bit tag" files when scanned, which can change their checksum. I don't have a lot of experience in that area, nor do I know if it would affect this issue, but it's something that just came to mind.

[ayush222006]

karlchen thx but this is a guide for Windows so the Linux command really doesn't matter in this context.

This is a really dumb question, but how do you use the find command? I typed: find "copied and pasted hash here" sha256sum.txt and got FIND: Parameter format not correct.

Not a dumb question at all but a shortcoming of my guide actually. Thanks for bringing this to my attention.

I had originally not written it with PowerShell in mind, was reminded of it later in this thread but didn't consider the implications for the find command. In PowerShell you'd need to use triple quotes """hash""". I'll adjust the guide to make everybody use cmd.exe, it's simpler.

Your Ctrl+F manual check is completely sufficient though so you do not need to do it again, using find was meant to simplify things, not complicate them as happened here.

hey it's asking for the donation for downloading the software

[JoeFootball]

hey it's asking for the donation for downloading the software

Who is asking for a donation to download what software?

[ayush222006]

hey it's asking for the donation for downloading the software

Who is asking for a donation to download what software?

the gnupg software
the website/app holders are asking for donation to download the software

https://gpg4win.org/get-gpg4win.html

[JoeFootball]

the gnupg software
the website/app holders are asking for donation to download the software

Yes, you're correct. If you use that particular link, they are indeed requesting a donation. It also appears there's a $0 option there as well, but I did not investigate it.

That said, if you use the download link that the tutorial directs you to, you can download that software without a donation request.

Edit: Per the tutorial, use the download link that the red arrow is pointing to ...

[karlchen]

<mod> danscozia's Italian help request on the (English) tutorial moved to Italian Language sub-forum: > here < </mod>

[ayush222006]

the gnupg software
the website/app holders are asking for donation to download the software

Yes, you're correct. If you use that particular link, they are indeed requesting a donation. It also appears there's a $0 option there as well, but I did not investigate it.

That said, if you use the download link that the tutorial directs you to, you can download that software without a donation request.

Edit: Per the tutorial, use the download link that the red arrow is pointing to ...


rkYNlLI.png

hey
thanks buddy
you are best you help me every time
again you saved my time and effort