18.3 Verification gpg of sha256sum.txt file.

[Unclefred]

The 18.3 Cinnamon ISO checks out but the gpg key test says;

gpg: Signature made Fri 24 Nov 2017 04:08:32 PM AST using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

Now I read that it might be "untrusted" and I was prepared for that, but the BAD signature warning has me worried.
The Key ID is OK, but with a BAD signature. I'm suspicious of it and how might I proceed?`

[Laurent85]

Feel safe, see Linux Mint Installation Guide :

Note

GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.

[Unclefred]

Thank-you, I covered that in my first post, and I expected it to tell me that it was "not trusted." What I got instead was; "BAD signature." That's different than "not trusted" isn't it? If these are synonymous then great! I'll go ahead & install. I'd just like to hear it from an authority.

[Fred Barclay]

Hi - actually, a bad signature is, well, bad. It's not the same as an untrusted message:
"BAD" means that something went wrong with your download, either of the Mint iso, the sha256sum.txt file, or the sha256sum.txt.gpg file - most likely the Mint iso. When you see this, it means that the iso image is not identical to the one the Mint developers provide.
"Untrusted" means that the signature is good (and so the Mint iso image is good), but you haven't marked the gpg key provided by the Mint developers as "trusted." This is completely normal.

I have a little web page that goes over bad or untrusted signatures, in part. It goes into a bit more detail than the current Mint instructions do.
https://fred-barclay.github.io/VerifyLinuxMint/

[rene]

... and in that sense: that "Linux Mint installation guide" that Laurent linked to is being extremely unhelpful in not spelling out the "good warning" and/or "bad signature" messages in full. If that document is in any way official, that should be fixed.

[Fred Barclay]

... and in that sense: that "Linux Mint installation guide" that Laurent linked to is being extremely unhelpful in not spelling out the "good warning" and/or "bad signature" messages. If that document is in any way official, that should be fixed.

It is official.
If no one else would like to, I'll try and submit a pull request to correct it sometime this week.

[rene]

Thanks; sure that's going to be appreciated.

[Unclefred]

I suppose in the meantime I will D/L again & try to get something that will verify. Does that make sense?

[rene]

On this forum we have noticed that one of the things that people are likely to do wrong, seeing as how the sha256sum.txt opens in their browser by default, is copy and paste the in the browser displayed content into an editor and save it as sha256sum.txt. While not in a theoretical/essential sense wrong that still is in a practical sense: details such as line ending conventions and/or missing/added linefeed at end-of-file may corrupt the sha256sum.txt. That is: if you have not "right-click downloaded" sha256sum.txt and/or sha256sum.txt.gpg you may wish to do that first without downloading the entire iso again; it's likely there's nothing wrong with it.

For verification, the sha256sums for the 18.3 iso's should be, from http://ftp.heanet.ie/pub/linuxmint.com/ ... 256sum.txt:

Code: Select all

2026b8901f86f4711e2aaa35f5515407eebb7fb2c3cdd0359ffb6f6d0a368b9d *linuxmint-18.3-cinnamon-32bit.iso
ecebdf9ac4697b6c2d7feffd1bc5430641bca67c7df122fa2914824dc8844b3a *linuxmint-18.3-cinnamon-64bit.iso
428d47c5ce54e949b0ba656a2c387d4536b9e0530bcc840784b456190411f11c *linuxmint-18.3-mate-32bit.iso
1ec518ec70d76d9634e22bb9e083546d812f869878a3262fc7ae47ecc5b23e40 *linuxmint-18.3-mate-64bit.iso

Note that you can verify these sums on any mirror, and if you trust that the mirror(s) you are checking haven't each been compromised such manual verification will do just as well as the GPG step.

[Laurent85]

Sorry, I didn't notice the BAD signature warning.

[Unclefred]

Rene, it's spooky, but that's exactly what I did when I couldn't find anything in my right click menu to D/L the file. Now I've got a second ISO almost D/Led from a different mirror. It's much slower, and somewhere I read that I should get the sha256sum file & key from the same mirror, but I never even got the chance to see the site. When I clicked on the link, the D/L just started.
I'll be even more careful about how I get the other files this time.
Oh, and no problem, Laurent85, Thanks for your interest,.

[rene]

Rene, it's spooky, but that's exactly what I did when I couldn't find anything in my right click menu to D/L the file.

Hope that Fred Barclay still reads along and manages to sneak in a word or two on downloading-not-copy-pasting of sha256.sum and sha256sum.txt.gpg. It is an issue more common than someone writing these texts imagines.

If I in Firefox for example right-click that above pasted heanet mirror link, I'm offered to "Save Link As..."; that's the option you want for both sha256sum.txt and the sha256sum.txt.gpg file (which I notice also in fact opens in the browser by default.) Anyways, I'm sure you'll find that all was in fact well to start with; that you just had some difference wrt. non-displaying characters such as linefeed in either of these files.

[Unclefred]

I waited an hour and a half for that file to D/L. Then I go to the folder where it's supposed to be and the folder is empty. I've got to be up bright eyed & bushy tailed in the morning, so I'm going to bed.

[Unclefred]

OK. Lots of things have happened. I D/Led MINT 18.3 again, Cinnamon, 64 bit. I tried to get the sha256sum.txt and the GPG file and the sha256sum matched as before. (not sure I D/Led these later 2 files correctly, but in verifying the sha256sum.txt file it said "no change." This worried me a little, but I couldn't find any further options, so I went ahead & installed the MINT. It worked so beautifully I was in heaven for about 24 hours. Then disks started to disappear, and then I could not boot, and I couldn't find them even on the CMOS after an hour or two. Finally the computer wouldn't boot nor even do it's POST test. I would put the monitor on & it would go to standby, (little amber light), then I'd start the computer and the little amber light would never even turn green. The thing just sat there. Now I have a new computer, new to me anyway, and the same discs. It's running but it's not happy. I ran Bleachbit as root to try to clear any "nasty's" from the disk. Seemed to go well.
Someone sent me a zip file attached to an email and it says it does not have a "something" to decompress the file. I had trouble starting the software manager & rebooted. Then I realised I wasn't giving it enough time. Takes 30 seconds or so to start up. When it did, it confirmed that 7zip & zip were installed already.
Now I don't know if it's a result of my Bleachbit or if malicious code is still embedded in the operating system, (if it ever was).
Now I look to mirrors for MINT 18.3 and there seems to be no way to get the verification files from the servers. I right click on the links and get just about everything else but no access to any other files except the ISO imageShould I go back to 18.2? Should I keep the system I have or re-install from the DVD again? Something else?

[pbear]

Try here: https://linuxmint.com/verify.php

[Unclefred]

Thanks, but I've been there several times. It's no help. It just tells me to D/L the files, but there's no indication of how to do it. Sometime ago I actually saw the two files listed as links, but there was no way to D/L them. I could only copy & paste them, and that's not giving me an exact copy.
Anyway. I've got the thing running now and it seems relatively well behaved. Like the guy who jumped off the 40 story building said at each floor on the way down, "So Far So Good!"

[pbear]

It just tells me to D/L the files, but there's no indication of how to do it.

Well, in Firefox, you right-click and "Save Link As ... " If using another browser, I'm sure there's a similar function somewhere.

[Unclefred]

Ah Ha! Yes it does. I was looking for "Save File As" and I thought "Save Link As" would only save the URL to my Clip Board, or maybe Bookmarks, & I'm thinking, "I don't need that." So great. Thank-you. Merry <whatever you're celebrating>.