18.3 Verification gpg of sha256sum.txt file.

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Mon Dec 11, 2017 7:14 pm

The 18.3 Cinnamon ISO checks out but the gpg key test says;

gpg: Signature made Fri 24 Nov 2017 04:08:32 PM AST using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

Now I read that it might be "untrusted" and I was prepared for that, but the BAD signature warning has me worried.
The Key ID is OK, but with a BAD signature. I'm suspicious of it and how might I proceed?`

Laurent85
Level 14
Level 14
Posts: 5014
Joined: Tue May 26, 2015 10:11 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Laurent85 » Mon Dec 11, 2017 7:25 pm

Feel safe, see Linux Mint Installation Guide :

Note

GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.
Image

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Mon Dec 11, 2017 7:34 pm

Thank-you, I covered that in my first post, and I expected it to tell me that it was "not trusted." What I got instead was; "BAD signature." That's different than "not trusted" isn't it? If these are synonymous then great! I'll go ahead & install. I'd just like to hear it from an authority.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4010
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Fred Barclay » Mon Dec 11, 2017 7:35 pm

Hi - actually, a bad signature is, well, bad. :) It's not the same as an untrusted message:
"BAD" means that something went wrong with your download, either of the Mint iso, the sha256sum.txt file, or the sha256sum.txt.gpg file - most likely the Mint iso. When you see this, it means that the iso image is not identical to the one the Mint developers provide.
"Untrusted" means that the signature is good (and so the Mint iso image is good), but you haven't marked the gpg key provided by the Mint developers as "trusted." This is completely normal.

I have a little web page that goes over bad or untrusted signatures, in part. It goes into a bit more detail than the current Mint instructions do.
https://fred-barclay.github.io/VerifyLinuxMint/
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

rene
Level 6
Level 6
Posts: 1442
Joined: Sun Mar 27, 2016 6:58 pm

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby rene » Mon Dec 11, 2017 7:43 pm

... and in that sense: that "Linux Mint installation guide" that Laurent linked to is being extremely unhelpful in not spelling out the "good warning" and/or "bad signature" messages in full. If that document is in any way official, that should be fixed.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4010
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Fred Barclay » Mon Dec 11, 2017 7:43 pm

rene wrote:... and in that sense: that "Linux Mint installation guide" that Laurent linked to is being extremely unhelpful in not spelling out the "good warning" and/or "bad signature" messages. If that document is in any way official, that should be fixed.

It is official.
If no one else would like to, I'll try and submit a pull request to correct it sometime this week.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

rene
Level 6
Level 6
Posts: 1442
Joined: Sun Mar 27, 2016 6:58 pm

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby rene » Mon Dec 11, 2017 7:48 pm

Thanks; sure that's going to be appreciated.

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Mon Dec 11, 2017 7:51 pm

I suppose in the meantime I will D/L again & try to get something that will verify. Does that make sense?

rene
Level 6
Level 6
Posts: 1442
Joined: Sun Mar 27, 2016 6:58 pm

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby rene » Mon Dec 11, 2017 8:09 pm

On this forum we have noticed that one of the things that people are likely to do wrong, seeing as how the sha256sum.txt opens in their browser by default, is copy and paste the in the browser displayed content into an editor and save it as sha256sum.txt. While not in a theoretical/essential sense wrong that still is in a practical sense: details such as line ending conventions and/or missing/added linefeed at end-of-file may corrupt the sha256sum.txt. That is: if you have not "right-click downloaded" sha256sum.txt and/or sha256sum.txt.gpg you may wish to do that first without downloading the entire iso again; it's likely there's nothing wrong with it.

For verification, the sha256sums for the 18.3 iso's should be, from http://ftp.heanet.ie/pub/linuxmint.com/stable/18.3/sha256sum.txt:

Code: Select all

2026b8901f86f4711e2aaa35f5515407eebb7fb2c3cdd0359ffb6f6d0a368b9d *linuxmint-18.3-cinnamon-32bit.iso
ecebdf9ac4697b6c2d7feffd1bc5430641bca67c7df122fa2914824dc8844b3a *linuxmint-18.3-cinnamon-64bit.iso
428d47c5ce54e949b0ba656a2c387d4536b9e0530bcc840784b456190411f11c *linuxmint-18.3-mate-32bit.iso
1ec518ec70d76d9634e22bb9e083546d812f869878a3262fc7ae47ecc5b23e40 *linuxmint-18.3-mate-64bit.iso

Note that you can verify these sums on any mirror, and if you trust that the mirror(s) you are checking haven't each been compromised such manual verification will do just as well as the GPG step.

Laurent85
Level 14
Level 14
Posts: 5014
Joined: Tue May 26, 2015 10:11 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Laurent85 » Mon Dec 11, 2017 8:18 pm

Sorry, I didn't notice the BAD signature warning.
Image

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Mon Dec 11, 2017 9:24 pm

Rene, it's spooky, but that's exactly what I did when I couldn't find anything in my right click menu to D/L the file. Now I've got a second ISO almost D/Led from a different mirror. It's much slower, and somewhere I read that I should get the sha256sum file & key from the same mirror, but I never even got the chance to see the site. When I clicked on the link, the D/L just started.
I'll be even more careful about how I get the other files this time.
Oh, and no problem, Laurent85, Thanks for your interest,.

rene
Level 6
Level 6
Posts: 1442
Joined: Sun Mar 27, 2016 6:58 pm

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby rene » Mon Dec 11, 2017 9:33 pm

Unclefred wrote:Rene, it's spooky, but that's exactly what I did when I couldn't find anything in my right click menu to D/L the file.

Hope that Fred Barclay still reads along and manages to sneak in a word or two on downloading-not-copy-pasting of sha256.sum and sha256sum.txt.gpg. It is an issue more common than someone writing these texts imagines.

If I in Firefox for example right-click that above pasted heanet mirror link, I'm offered to "Save Link As..."; that's the option you want for both sha256sum.txt and the sha256sum.txt.gpg file (which I notice also in fact opens in the browser by default.) Anyways, I'm sure you'll find that all was in fact well to start with; that you just had some difference wrt. non-displaying characters such as linefeed in either of these files.

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Mon Dec 11, 2017 9:47 pm

I waited an hour and a half for that file to D/L. Then I go to the folder where it's supposed to be and the folder is empty. I've got to be up bright eyed & bushy tailed in the morning, so I'm going to bed.

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Tue Dec 19, 2017 7:27 am

OK. Lots of things have happened. I D/Led MINT 18.3 again, Cinnamon, 64 bit. I tried to get the sha256sum.txt and the GPG file and the sha256sum matched as before. (not sure I D/Led these later 2 files correctly, but in verifying the sha256sum.txt file it said "no change." This worried me a little, but I couldn't find any further options, so I went ahead & installed the MINT. It worked so beautifully I was in heaven for about 24 hours. Then disks started to disappear, and then I could not boot, and I couldn't find them even on the CMOS after an hour or two. Finally the computer wouldn't boot nor even do it's POST test. I would put the monitor on & it would go to standby, (little amber light), then I'd start the computer and the little amber light would never even turn green. The thing just sat there. Now I have a new computer, new to me anyway, and the same discs. It's running but it's not happy. I ran Bleachbit as root to try to clear any "nasty's" from the disk. Seemed to go well.
Someone sent me a zip file attached to an email and it says it does not have a "something" to decompress the file. I had trouble starting the software manager & rebooted. Then I realised I wasn't giving it enough time. Takes 30 seconds or so to start up. When it did, it confirmed that 7zip & zip were installed already.
Now I don't know if it's a result of my Bleachbit or if malicious code is still embedded in the operating system, (if it ever was).
Now I look to mirrors for MINT 18.3 and there seems to be no way to get the verification files from the servers. I right click on the links and get just about everything else but no access to any other files except the ISO imageShould I go back to 18.2? Should I keep the system I have or re-install from the DVD again? Something else?

User avatar
pbear
Level 4
Level 4
Posts: 367
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby pbear » Tue Dec 19, 2017 1:36 pm

Time flies like an arrow. Fruit flies like a banana.
Running Mint 18.3 Mate 64 bit (by upgrade from 18.1-2)

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Tue Dec 19, 2017 1:42 pm

Thanks, but I've been there several times. It's no help. It just tells me to D/L the files, but there's no indication of how to do it. Sometime ago I actually saw the two files listed as links, but there was no way to D/L them. I could only copy & paste them, and that's not giving me an exact copy.
Anyway. I've got the thing running now and it seems relatively well behaved. Like the guy who jumped off the 40 story building said at each floor on the way down, "So Far So Good!"

User avatar
pbear
Level 4
Level 4
Posts: 367
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby pbear » Tue Dec 19, 2017 3:07 pm

Unclefred wrote:It just tells me to D/L the files, but there's no indication of how to do it.

Well, in Firefox, you right-click and "Save Link As ... " If using another browser, I'm sure there's a similar function somewhere.
Time flies like an arrow. Fruit flies like a banana.
Running Mint 18.3 Mate 64 bit (by upgrade from 18.1-2)

Unclefred
Level 1
Level 1
Posts: 16
Joined: Mon Feb 03, 2014 10:28 am

Re: 18.3 Verification gpg of sha256sum.txt file.

Postby Unclefred » Tue Dec 19, 2017 5:35 pm

Ah Ha! Yes it does. I was looking for "Save File As" and I thought "Save Link As" would only save the URL to my Clip Board, or maybe Bookmarks, & I'm thinking, "I don't need that." So great. Thank-you. Merry <whatever you're celebrating>.


Return to “Installation & Boot”