How to verify the ISO image on macOS

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
snozboz
Level 1
Level 1
Posts: 1
Joined: Sun Oct 13, 2019 6:51 pm

How to verify the ISO image on macOS

Post by snozboz » Sun Oct 13, 2019 7:32 pm

If you're at this stage of the Linux Mint Installation Guide, and like me, you use macOS not Windows, hopefully this will help. When you get down to the "Integrity Check" - "Hint" section, there is currently no tutorial linked for macOS (only one for Windows). This is also reflected in the procedure at https://linuxmint.com/verify.php which is currently more up-to-date but less detailed than the Linux Mint Installation Guide.

This assumes you have downloaded one or more of the ISO images (and haven't changed their file names), and put them in to the same folder as each other (e.g. ~/Downloads/ISO )
Also that you have downloaded the sha256sum.txt file and the sha256sum.txt.gpg file (from https://linuxmint.com/verify.php) for the same version number of Linux Mint as the ISO image(s) you have downloaded - and put these files in to the same folder as the ISO images.

Integrity check
  1. Open the Terminal app (~/Applications/Utilities/Terminal.app)
  2. Change directory to the folder in to which you downloaded the ISO images and sha256sum.txt and sha256sum.txt.gpg files
    cd ~/Downloads/ISO (and press Return/Enter)
  3. Type the shasum command with the appropriate flags, followed by the absolute path to the sha256sum.txt file (which you don't have to manually type - just drag and drop the file from a Finder window in to the Terminal window at the cursor)

    Code: Select all

    shasum -a 256 -c ~/Downloads/ISO/sha256sum.txt
  4. Press Return/Enter.
Wait. It will seem like nothing is happening for several minutes - you don't get a progress bar or anything.

The sha256sum.txt file contains the hashes for several different ISO images - the 32-bit and 64-bit versions of each of the flavours of Linux Mint (Cinnamon, Mate, and Xfce). So the shasum command goes through checking each. It will therefore give an error if it can't find one of the ISO images. If it finds the ISO image it is looking for, it will just say "OK" if the hash and the file matches.

For example:

Code: Select all

shasum: linuxmint-xx.x-cinnamon-32bit.iso: 
linuxmint-xx.x-cinnamon-32bit.iso: FAILED open or read
linuxmint-xx.x-cinnamon-64bit.iso: OK
shasum: linuxmint-xx.x-mate-32bit.iso: No such file or directory
linuxmint-xx.x-mate-32bit.iso: FAILED open or read
shasum: linuxmint-xx.x-mate-64bit.iso: No such file or directory
linuxmint-xx.x-mate-64bit.iso: FAILED open or read
shasum: linuxmint-xx.x-xfce-32bit.iso: No such file or directory
linuxmint-xx.x-xfce-32bit.iso: FAILED open or read
linuxmint-xx.x-xfce-64bit.iso: OK
shasum: WARNING: 4 listed files could not be read
In the above example, I had only downloaded the Cinnamon 64-bit ISO and the XFCE 64-bit ISO, so as the results show "OK" for those two, the check was a success.
(The xx.x is where the version number was.)

Authenticity Check
  • You will need to download and install "GnuPG for OS X" from https://www.gnupg.org/download/index.html
    (It is probably a good idea to perform an Integrity Check (by adapting the above instructions) on this download, before installing it.)
Replace the gpg command with gpg2 in the "Authenticity Check" instructions listed on either the Linux Mint Installation Guide or at https://linuxmint.com/verify.php
Alternatively, follow these steps:
  1. In the Terminal app (~/Applications/Utilities/Terminal.app) - re-open it if you have already closed it.
  2. Import the Linux Mint signing key with this gpg2 command:

    Code: Select all

    gpg2 --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    (Press Return/Enter after the command.)
    This should show results similar to the following (if you've never done something like this before):

    Code: Select all

    gpg: directory '/Users/<user>/.gnupg' created
    gpg: keybox '/Users/<user>/.gnupg/pubring.kbx' created
    gpg: /Users/<user>/.gnupg/trustdb.gpg: trustdb created
    gpg: key <16-character-capital-letters-and-digits>: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
  3. If the Terminal doesn't already show that you are in that folder from the previous procedure, change directory to the folder in to which you downloaded the ISO images and sha256sum.txt and sha256sum.txt.gpg files
    cd ~/Downloads/ISO (and press Return/Enter)
  4. Verify the authenticity of your downloaded sha256sum.txt file with this gpg2 command:

    Code: Select all

    gpg2 --verify sha256sum.txt.gpg sha256sum.txt
    (Press Return/Enter after the command.)
This should show results similar to the following (if you've never done something like this before):

Code: Select all

gpg: Signature made <date and time>
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
The crucial part is that it says "Good signature", which means it passes the check: don't worry about the other warning.

Post Reply

Return to “Tutorials”