(SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
belham

(SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by belham »

I waited to download official Sarah 64-bit, got it now, but can anyone please help regarding this --verify sha256sum issue?

1. Went to official "https://linuxmint.com/verify.php" page.

2. Downloaded Linux Mint Sarah 64-bit from the "Primary download mirror: https://ftp.heanet.ie/mirrors/linuxmint.com/

3. The ISO fully downloaded

4. I also downloaded the sha256sum.txt.gpg and sha256sum.txt.

5. All three files are placed in my home Download folder.

6. I open a terminal, cd (change directory) to my Download folder.

7. I then run the exact gpg commands as stated on the aforementioned "https://linuxmint.com/verify.php" page.

8. Here is the pic of my Download folder and the terminal commands. What am I doing wrong that shows the Linux Mint Sarah 64-bit sha256sum.txt as having a BAD SIGNATURE (please look at the terminal pic)? I cannot trust the sha256sum to check the ISO if I cannot get a "GOOD SIGNATURE" back from gpg/gpg2 --verify command. I've tried this on three different Linux distros now (Ubuntu 16.04, Debian, and Arch--each 64-bit too), all have gpg/gpg2 installed, and each show the same thing when trying to do this:

Image


Thank you for any help and/or clarification.


P.S. For those that can't see the pic for some reason, here is the key entries from terminal:

luc@luc-oki:~$ gpg2 --fingerprint A25BAE09
pub rsa4096/A25BAE09 2016-06-07 [SC]
Key fingerprint = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
uid [ unknown] Linux Mint ISO Signing Key <root@linuxmint.com>

luc@luc-oki:~$ cd /home/luc/Downloads/
luc@luc-oki:~/Downloads$ gpg2 --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Thu 30 Jun 2016 12:13:33 BST using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
luc@luc-oki:~/Downloads$



***********************************************************************************************************************************************************
EDIT: Please excuse my ignorance....just remembered that you cannot just "save" the sha256sum.text.gpg and sha256sum.txt files with a text editor (Gedit, in my case) and expect gpg/gpg2 to verify files that I MYSELF created. :oops: Urgh.........hit me with a brick when I forget at times and do this. I've got to download those two files directly, correct? But my question is, when I click on them to download, the browsers I use (Firefox and Chrome) both open them up in the browser and don't let me download them. Is there a tip/trick to getting a .gpg and .txt file saved from these two browsers? Or maybe a "wget" address I can use to download them using the terminal? I just tried Palemoon too, and it also opens up both sha256sum.txt.gpg and sha256sum.txt inside the browser and does not offer them as downloads.

EDIT2: Ok, I solved this myself thanks to Google (and other people hitting this exact same problem with---you guessed it---Linux Mint & verifying their downkloads). You need to use "wget" from the terminal, and download both the sha256sum.txt.gpg and the sha256sum.txt files. WGET from the terminal will throw these files into your HOME directory. Use any mirror download site address for WGET. Then, just move these two files over into your download folder (beside your ISO), and then go into terminal, cd to Downloads, and follow the above commands Linux Mint lays out on its page.

LINUX TEAM---you've could've spent more than a few seconds making this clear on your "How to Verify...." webpage, to help people who at least try to "verify" the sha256sum to know their downloaded ISO is legit. Once again you fall into that trap that every person coming to Linux right off the bat absolutely knows their way around a terminal.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Twod

Re: (SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by Twod »

Thank you, this was helpful.
User avatar
RealDogBoy
Level 1
Level 1
Posts: 31
Joined: Tue Jun 24, 2014 3:17 am

Re: (SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by RealDogBoy »

Thanks belham, I had the same problem and your explanation (particularly Edit2) helped me troubleshoot this.

I agree that https://linuxmint.com/verify.php should include this tip
ganeshthevar

Re: (SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by ganeshthevar »

Thanks. it worked
nuxli

Re: (SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by nuxli »

thanks, just pointed out the obvious frustration ive just had with whom ever posted the instructions as well
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: (SOLVED) gpg/gpg2 saying "BAD SIGNATURE"...anyone??

Post by rene »

There is no need for wget or anything of the sort. The webpage says to download the files, not open them in the browser. I.e., right-click the link and choose "Save Link As..." as is the formulation in Firefox.

You guys are not the only or first, but frankly, knowing how to download something from the web is so utterly basic a computer skill, one moreover equal on any platform, that I'd feel it warranted to assume that much of potential users of even Linux Mint.
Locked

Return to “Installation & Boot”