How to verify the ISO image on Windows

[MintUser19]

First, thank you for creating this thread. I went through the procedure and was successful (win7 & Firefox), but I do have a question about the source of 'sha256sum.txt' & 'sha256sum.txt.gpg ' files.

Is the following correct?

Download the ISO from https://www.linuxmint.com/edition.php?id=274
Then from; https://www.linuxmint.com/mirrors.php to get the 'sha256sum.txt' & 'sha256sum.txt.gpg' files?

I would think that I should get the 'sha256sum.txt' & 'sha256sum.txt.gpg ' files from the same link as I got the ISO. While downloading the ISO, I could not find a way to look for any other files or folders (just a clickable link).

Is this procedure to check the 'sha256sum.txt' & 'sha256sum.txt.gpg' files I got at the mirror against the ones that came in the ISO?

Thanks

[gm10]

I would think that I should get the 'sha256sum.txt' & 'sha256sum.txt.gpg ' files from the same link as I got the ISO.

While you could, the recommended way is just to go to https://linuxmint.com/verify.php for the release you are downloading and then they are linked right there. But at the end of the day it does not matter where they come from - if either of them have been modified then either authentication will either fail or use the wrong key. That's why we do that step.

[jonpoljones]

It doesn't work either, I get a different message though, "host unknown"

Here is what message i get for both intents. I am not very sure the way to proceed for the last resort option.

Thanks again



Here's another alternative I can offer:

Code: Select all

gpg --keyserver pool.sks-keyservers.net --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

If that does not work, either, then as a last resort you can try retrieving it in a browser: https://keyserver.ubuntu.com/pks/lookup ... =on&op=get, storing it to a file (e.g. ~/key.asc) and then importing it with gpg (gpg --import ~/key.asc).
[/quote]

Le chemin d'accès spécifié est introuvable.

C:\Mes documents\Downloads>gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB
15644C6B3CF3BD7D291300F846BA25BAE09
gpg: échec de réception depuis le serveur de clefs : Aucun serveur de clefs disp
onible

C:\Mes documents\Downloads>gpg --keyserver pool.sks-keyservers.net --recv-key 27
DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: échec de réception depuis le serveur de clefs : Hôte inconnu

C:\Mes documents\Downloads>gpg --keyserver pool.sks-keyservers.net --recv-key 27
DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: échec de réception depuis le serveur de clefs : Aucun serveur de clefs disp
onible

C:\Mes documents\Downloads>gpg --import C:\mes documents\downloads\iso 32bit\key
.asc
gpg: impossible d'ouvrir « C:\mes » : No such file or directory
gpg: impossible d'ouvrir « documents\downloads\iso » : No such file or directory

gpg: impossible d'ouvrir « 32bit\key.asc » : No such file or directory
gpg: Quantité totale traitée : 0

[gm10]

C:\Mes documents\Downloads>gpg --import C:\mes documents\downloads\iso 32bit\key
.asc
gpg: impossible d'ouvrir « C:\mes » : No such file or directory

Put the path in quotes to handle the spaces in it:

Code: Select all

gpg --import "C:\mes documents\downloads\iso 32bit\key.asc"

[jonpoljones]

Hey Gm10. Thanks, the import worked, it is more or less the exact messages you have on your screen shot, but then the next command "verify" semms not to work. I am so sorry to be such a noob.

Here's the message

gpg --verify sha256sum.txt.gpg sha256sum.txt

C:\Mes documents\Downloads>gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory

It is the exact names of my files and in the right directory, I tried with quotes as well for each filename. No success
Thanks.

[gm10]

I am so sorry to be such a noob.

Don't you worry, this is unfortunately unnecessarily complicated. Think of it as an entrance exam. Using Linux itself will be much easier.

It is the exact names of my files and in the right directory, I tried with quotes as well for each filename. No success

In this case I have to doubt that those files exist with the correct names and/or are in that directory. Remember that you did not download the key to that directory, either, that's why you had the previous issue. The key is in the subdirectory iso 32bit in your downloads directory, so I'd say there's a very good chance that you placed all your other files in that same directory as well. Either shift-right-click that directory in Explorer to open a command window there as explained in the guide, or with your existing command window the command cd "iso 32bit" will get you there, too.

[jonpoljones]

Thanks, seems that the whole problem since the beginning was that to open a command windows by right-clicking on the ISO 32 bit folder, it left my command in the precedent folder (downloads). I had to create a empty folder inside ISO32bit to be able to use right-click command prompte here. Basically i am good to do my USB bootable linux mint now. thanks

[gm10]

Thanks, seems that the whole problem since the beginning was that to open a command windows by right-clicking on the ISO 32 bit folder, it left my command in the precedent folder (downloads). I had to create a empty folder inside ISO32bit to be able to use right-click command prompte here. Basically i am good to do my USB bootable linux mint now. thanks

Oh weird, but glad you figured it out.

[MintUser19]

I would think that I should get the 'sha256sum.txt' & 'sha256sum.txt.gpg ' files from the same link as I got the ISO.

While you could, the recommended way is just to go to https://linuxmint.com/verify.php for the release you are downloading and then they are linked right there. But at the end of the day it does not matter where they come from - if either of them have been modified then either authentication will either fail or use the wrong key. That's why we do that step.

Thank for your reply. Where I got the original ISO from (a mirror listed here: https://www.linuxmint.com/edition.php?id=274), is this not the same place where I got the hash sum a few days later(which was here: https://www.linuxmint.com/mirrors.php)? If they come from the same place, wouldn't they be the same?

Thanks

[gm10]

If they come from the same place, wouldn't they be the same?

Well, they should be the same everywhere, but we do that entire step just to make sure that that's true, that the files have not been tampered with. So again, it does not matter where you get the files from as long as they do properly authenticate (with the correct fingerprint).

[Nellycita]

Dear All,
thanks a lot for all the help! I'm a Windows 7 user
I would really like to become a linux user, I've been reading a lot about it, since years! but didn't have the guts to try it.
I downloaded the ISO file linuxmint-19.3-cinnamon-64bit. I managed to verify the integrity of the ISO but I'm having troubles to verify the authenticity. I used all these commands with and without (") no luck and always the same answer "gpg: keyserver receive failed: server indicated a failure"
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

gpg --keyserver keyserver.ubuntu.com --recv-key "27DEB15644C6B3CF3BD7D291300F846BA25BAE09"
gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DEB15644C6B3CF3BD7D291300F846BA25BAE09"

Always the same "gpg: keyserver receive failed: server indicated a failure", Is windows 7 the problem? can anybody help?

thanks a lot!

[gm10]

Always the same "gpg: keyserver receive failed: server indicated a failure", Is windows 7 the problem? can anybody help?

If you're not blocking the connection with a personal firewall/anti-virus or something like that, then no, the problem is probably with gpg, and you are not alone with it, that's why I have so many variants of the command in the guide.

The best I can offer you at this point is the hash for linuxmint-19.3-cinnamon-64bit.iso, which I authenticated on my system:

Code: Select all

7a9e54212433c8547edfd789ac933c91a9bde1a61196fa7977c5357a2c40292d

You can compare that manually with the one you have in your sha256sum.txt file, and if it matches then you're good.

Welcome to Linux - using it will be easier than this.

[Critt+66]

I have this utility installed on my Windows system: MD5_and_SHA_Checksum_Utility.exe. You can search for it on the internet and it is very easy to use and it brought up the correct sha256sum. No need to go through all the other hoops to verify the iso.

[SilenceIsG0lden]

Thank you so much for this tutorial @gm10!

I ran into the same problem as several others here (I downloaded all the files correctly, put them all in a folder, installed the GNU Privacy guard) that the verification process worked fine, but the authentication process didn't go anywhere. My system / cmd just returned repeatedly the error that 'gpg' is not recognized as an internal or external command.

I was about to pull out my hair, or worse: give up on giving Linux a try (again, just like 15 years ago), when I read somewhere that a reboot might solve my problem. And it did! Yipiieh! So, PLEASE add this info that when the above error message appears, simply reboot your windows machine.

Thanks again!!

[tnerd]

Hi, Maxmagicbanana.

Code: Select all

PS C:\Users\maxmagicbanana\Desktop\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory

You have verified that both files, sha256sum.txt.gpg and sha256sum.txt, are located in the same folder, in folder C:\Users\maxmagicbanana\Desktop\Linux?

Regards,
Karl

So, I'm still having issues at this point. I have the ISO, and the 2 files in my folder with the crrect names, and I'm getting the error message that this user referred to. Could anyone offer me any advice?
Thanks
Travis

[tnerd]

So, update to my sitation I have gotten the last command gpg --verify sha256sum.txt.gpg sha256sum.txt to run through my powershell, however, I now keep getting a bad signature error. I have tried installing from 3 different mirrors and all the same results. I know the problem is me... can anyone offer help?
Thanks!

[JoeFootball]

... to run through my powershell ...

While you've confirmed all the files are in the same directory, is your Powershell session occurring within that same directory as well?

[tnerd]

Thank you for your reply. My power shell is located at correct point. I used the shift-right click method, at a folder I named linux download, on my desktop. The path on my power shell is C:/Users/travi/OneDrive/Desktop/linux downlad>

Also, the first two commands produce the desired result.

CertUtil -hashfile filename.iso SHA256

gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

Both of these commands produce the desired result. I have tried 3 different mirrors. I'm going to try try download 19.2 and see if I run into the same issue. Below is the read out from my powershell. Thanks for the help!

Code: Select all

PS C:\Users\travi\OneDrive\Desktop\linux download> CertUtil -hashfile .\linuxmint-19.3-cinnamon-64bit.iso SHA256
SHA256 hash of .\linuxmint-19.3-cinnamon-64bit.iso:
7a9e54212433c8547edfd789ac933c91a9bde1a61196fa7977c5357a2c40292d
CertUtil: -hashfile command completed successfully.

PS C:\Users\travi\OneDrive\Desktop\linux download> gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: key 300F846BA25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

PS C:\Users\travi\OneDrive\Desktop\linux download> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 12/16/19 10:10:16 Eastern Standard Time
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

[JoeFootball]

... and I'm getting the error message that this user referred to.

You're getting a very different error. The other error was verify signatures failed: No such file or directory, which meant that gpg couldn't find the files. You're not having that particular problem, which is what lead me astray.

BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

gpg is finding the files in your case, but cannot authenticate them. I unfortunately do not have Windows nor Powershell, so I can't replicate your environment, but I can't replicate your result in Linux (it works for me). That said, I don't think that Windows/Powershell is the issue.

I have tried installing from 3 different mirrors and all the same results.

To be clear, have you been getting new gpg files from multiple mirrors as well? These are the two files/location that I just used with success...

https://mirrors.evowise.com/linuxmint/stable/19.3/sha256sum.txt

https://mirrors.evowise.com/linuxmint/stable/19.3/sha256sum.txt.gpg

Since you appear to be importing the signing key correctly, I think it's something wrong with the gpg files.

[tnerd]

Thank you for your reply! I have been busy for a few days and haven't had a chance to come back. I read online that if I download through a torrent I don't need to verify the ISO because Torrent does that automatically? I'll try that.

Also- I have been getting the gpg files from the link on this site. https://linuxmint.com/verify.php
From what I can tell there isn't a different gpg file from each mirror?