[SOLVED] unable to verify the sha sum256 txt.gpg Mint 18.3 Cinnamon

[slipstick]

Looks like you got the name wrong when you typed it in. I downloaded the 32 bit xfce version and verified it with my script and it worked just fine. The script doesn't need to be changed, nor the name of the script file - just change the name of the iso file which you type after the script name. I put the 32-bit xfce version in a subdirectory of my Downloads directory (because I have other stuff in my Downloads directory which I didn't want to confuse the issue). Here is a terminal list of what I did. You will see three command lines where I typed in a command. The first one, I changed directory to the ~/Downloads/xfce_32_iso directory, then in the second line, I made a listing of the files in that directory to be sure that I had the correct files and that the script file had the execute bit set, then the third command line (eighth line down in the listing) is the one that kicked off the verification. It verified good - don't worry about the WARNING: This key is not certified with a trusted signature. That just means you haven't signed the key with your own signature and has no significance here - you're just looking for the "Good signature...." in the line above the WARNING. You should be able to do the same as I did - only the name of your working folder will be Downloads, instead of Downloads/xfce_32_iso that I used.

Code: Select all

steve@steve-Z97X ~ $ cd Downloads/xfce_32_iso
steve@steve-Z97X ~/Downloads/xfce_32_iso $ ll
total 1776656
drwxrwxr-x 2 steve steve       4096 Jun 23 01:46 ./
drwxr-xr-x 6 steve steve       4096 Jun 23 01:45 ../
-rw-rw-r-- 1 steve steve 1819279360 Jun 23 01:44 linuxmint-18.3-xfce-32bit.iso
-rwxr----- 1 steve steve       2586 Apr 30 18:14 LM_iso_verify.sh*
steve@steve-Z97X ~/Downloads/xfce_32_iso $ ./LM_iso_verify.sh linuxmint-18.3-xfce-32bit.iso
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
--2018-06-23 01:49:22--  https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 774 [text/plain]
Saving to: ‘sha256sum.txt’

sha256sum.txt                 100%[=================================================>]     774  --.-KB/s    in 0s      

2018-06-23 01:49:23 (40.5 MB/s) - ‘sha256sum.txt’ saved [774/774]

--2018-06-23 01:49:23--  https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt.gpg
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819 [text/plain]
Saving to: ‘sha256sum.txt.gpg’

sha256sum.txt.gpg             100%[=================================================>]     819  --.-KB/s    in 0s      

2018-06-23 01:49:24 (42.2 MB/s) - ‘sha256sum.txt.gpg’ saved [819/819]

gpg: Signature made Wed 13 Dec 2017 10:16:15 AM CST using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
It should report that the signature is Good, steve.
You can ignore any warning about ...not certified...
...
Calculating the sha256 sum for linuxmint-18.3-xfce-32bit.iso and comparing it to the downloaded signed sha256 sum
Be patient, steve. I am not that good at math
...
linuxmint-18.3-xfce-32bit.iso: OK
Done.
steve@steve-Z97X ~/Downloads/xfce_32_iso $ 

[bethm]

Thanks Slipstick, Steve
Will try that, and then let you know

[JerryF]

Hi Jerry I am using linuxmint 18.3 cinnamon slyvia

Great! The reason I asked is that you can verify the checksum of an ISO directly from File Manager. It will give you the checksum to compare in the sha256sum.txt file.

Shutter-013.jpg

[slipstick]

Great! The reason I asked is that you can verify the checksum of an ISO directly from File Manager. It will give you the checksum to compare in the sha256sum.txt file.

From the OP's previous posts, it sounds like the problem is in verifying the signature of the hash file, not in verifying that the checksum of the .iso file matches the checksum in the hash file.

[JerryF]

From the OP's previous posts, it sounds like the problem is in verifying the signature of the hash file, not in verifying that the checksum of the .iso file matches the checksum in the hash file.

Thanks, I lost track.

[JerryF]

bethm,

Just wanted to check to make sure that you ran all the commands that were in the instructions to do an Authenticity Check.

As a preface, the following are examples from my computer. The locations of files will be different from yours. (You can click on any picture to enlarge it to read it better.)

First do this:
Open File Manager and go to the directory where your sha256sum.txt and sha256sum.txt.gpg files are.
Right-click in a blank area.
Click on Open in Terminal

Shutter-016.jpg

You now have a Terminal window open in the correct directory where your two files are.

Shutter-017.jpg

Run these two commands:

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-key A25BAE09

Code: Select all

gpg --list-key --with-fingerprint A25BAE09

Check the output of the last previous command, to make sure the fingerprint is 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09.

Now for the Authenticity Check
Run this:

Code: Select all

gpg --verify sha256sum.txt.gpg sha256sum.txt

Your output should look like this:

Shutter-018.jpg

[bethm]

thanks to you Gerry I was doing the wrong thing with the last step, I just wanted to say i appreciate your time, and all is now ok, and all verified and done,
thanks also to slipstick for your help and time.

[JerryF]

Great!

[Bill_35]

I've followed the noted steps to verify the file signature of sha256sum.txt, and gpg reports "Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" - BUT, the signature "using RSA key 300F846BA..." DOES NOT match the "A25BAE09" key. (for Linux Mint Cinnamon, 64x, ver 18.3). I've downloaded ISO from two different mirrors. The ISO image integrity check sha256sum does validate against the sha256sum.txt file. The fingerprint does validate against the 27DE B156 ... output.
I'm looking for the A25BAE09 key match, and not getting it.
What next?

[bethm]

Thanks again for your help Jerry, it was the bit about opening the file in the terminal that did the trick.