I am trying to verify my .ISO file for Linux Mint 19.
Verification of sha256sum.txt works without a problem.
Verification of sha256sum.txt.gpg fails like this:
____ gpg --verify sha256sum.txt.gpg sha256sum.txt
____ gpg: Signature made Thu 19 Jul 2018 05:41:40 AM -04 using RSA key ID A25BAE09
____ gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
I think the problem may be with how I downloaded the sum files.
I don't know how to "download" the files other than copying their
contents and use the contents to create new files on my own system. The "copies"
look like the originals, but perhaps the .gpg file differs in an important way
from the .gpg file on the Linux mint site.
So, how can I reliably "download" these files, given that there is
nothing provided on the Linux Mint site to do that -- at least so far as I know?
Of course, it is possible that I just generate a bad check sum
because there is something wrong with the .gpg file or the .iso file,
although I think that unlikely.
Unable to verify sha256sum.txt.gpg for LM19
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
-
Rampant
Unable to verify sha256sum.txt.gpg for LM19
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
lazarus
Re: Unable to verify sha256sum.txt.gpg for LM19
Copy/Pasta is all I do to grab the sum files.
I have noticed that sha256sum.txt.gpg has changed lately. The one I had DL'd some time ago - which checked out fine back then - now gives a bad CRC.
When did you DL yours? Try DLing it again, then in a terminal type to ensure that you have the current LM signing key as well. That worked for me.
For peace of mind, after refreshing the keyfile check it with:
...and compare the fingerprint output to the one listed on the LM verification page.
(It should be
)
I have noticed that sha256sum.txt.gpg has changed lately. The one I had DL'd some time ago - which checked out fine back then - now gives a bad CRC.
When did you DL yours? Try DLing it again, then in a terminal type
Code: Select all
gpg --refresh-keysFor peace of mind, after refreshing the keyfile check it with:
Code: Select all
gpg --list-key --with-fingerprint A25BAE09(It should be
27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 but don't just take my word for it! )
Last edited by lazarus on Mon Aug 20, 2018 12:36 am, edited 2 times in total.
-
slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Unable to verify sha256sum.txt.gpg for LM19
I have found the simplest way is to use a script file.
1. Copy the script file that follows - call it LM_iso_verify.sh
2. Place this file in the same directory where you have downloaded the .iso file and make it executable.
3. Open a terminal and cd to the directory where you have downloaded the .iso file. You didn't say which version you want to verify, so I'll use Cinnamon as an example.
4. Enter the following command:
The output should look like this (I just ran this a couple of minutes ago):
and here is the LM_iso_verify.sh file:
Note - if you want to use this in the future, you can place this script file in your ~/bin directory so that it is on the command path and you will not need to copy it into the same directory as the .iso file, and then you can just enter the command as before without the leading ./
like this:
******** EDIT - 12 Dec., 2018 !!!!!!
Here is a newer version of the script file - I have cleaned up the comments and the instructions at the top of the file should make usage clearer. This works the same as the older version.
1. Copy the script file that follows - call it LM_iso_verify.sh
2. Place this file in the same directory where you have downloaded the .iso file and make it executable.
3. Open a terminal and cd to the directory where you have downloaded the .iso file. You didn't say which version you want to verify, so I'll use Cinnamon as an example.
4. Enter the following command:
Code: Select all
./LM_iso_verify.sh linuxmint-19-cinnamon-64bit-v2.isoCode: Select all
steve@steve-Z97X ~/Downloads/IsoFiles $ ./LM_iso_verify.sh linuxmint-19-cinnamon-64bit-v2.iso
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
--2018-08-19 23:23:37-- https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 867 [text/plain]
Saving to: ‘sha256sum.txt’
sha256sum.txt 100%[=================================================>] 867 --.-KB/s in 0s
2018-08-19 23:23:38 (43.4 MB/s) - ‘sha256sum.txt’ saved [867/867]
--2018-08-19 23:23:38-- https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt.gpg
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [text/plain]
Saving to: ‘sha256sum.txt.gpg’
sha256sum.txt.gpg 100%[=================================================>] 833 --.-KB/s in 0s
2018-08-19 23:23:39 (21.2 MB/s) - ‘sha256sum.txt.gpg’ saved [833/833]
gpg: Signature made Thu 19 Jul 2018 04:41:40 AM CDT using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
It should report that the signature is Good, steve.
You can ignore any warning about ...not certified...
...
Calculating the sha256 sum for linuxmint-19-cinnamon-64bit-v2.iso and comparing it to the downloaded signed sha256 sum
Be patient, steve. I am not that good at math
...
linuxmint-19-cinnamon-64bit-v2.iso: OK
Done.
Code: Select all
#!/bin/bash
# Save this file in the ~/bin folder (or other convenient locations) as LM_iso_verify.sh
# When you want to check the integrity of the downloaded LMxx.x .iso file:
#
# Download or move your Mint xx.x.iso file to your Downloads folder.
# Move this LM_iso_verify.sh file to the Downloads folder
# and make sure it is marked as executable. (Or if you keep it in /home/<your user name>/bin,
# then it is should already be on the PATH, and you don't need to move it.)
#
# Open a terminal window and cd to ~/Downloads, then
# run the script with "./LM_iso_verify.sh Mint-xx.x-correct-filename.iso"
# EXAMPLE: ./LM_iso_verify.sh linuxmint-19-cinnamon-64bit.iso
# or if the script is in /home/bin or otherwise on the PATH, then
# EXAMPLE: LM_iso_verify.sh linuxmint-19-cinnamon-64bit.iso
# Check for one parameter on the command line (the .iso file name)
if [ $# -ne 1 ]; then
echo "Usage: $(basename "$0") linuxmint-xx.x-correct-filename.iso"
exit 1
fi
# Check if that file exists in the working directory and is readable
if [ ! -r "$1" ]; then
echo "File $1 does not exist or is not readable"
exit 1
fi
# Importing the signing key (LM18 and higher)
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
# This is for LM19 versions - modify these wget lines as needed for other versions
# Download the Mint 19 sha256 sum txt files
# If heanet.ie site isn't working, comment out these two lines and uncomment the wget lines for the alternate site
# or use another alternate of your choice.
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt.gpg
# University of Oklahoma mirror - an alternate site if above heanet.ie isn't working
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19/sha256sum.txt
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19/sha256sum.txt.gpg
# Verify the signature on the sha256 sum text file
gpg --verify sha256sum.txt.gpg sha256sum.txt
echo "It should report that the signature is Good, $USER."
echo "You can ignore any warning about ...not certified..."
echo "..."
# compare the sha256 sum of your ISO image and the original Mint sha256 sum
echo "Calculating the sha256 sum for $1 and comparing it to the downloaded signed sha256 sum"
echo "Be patient, $USER. I am not that good at math"
echo "..."
# use this if you have Gnu CoreUtils version 8.25 or later
sha256sum --check --ignore-missing sha256sum.txt
echo "Done."
like this:
Code: Select all
LM_iso_verify.sh linuxmint-19-cinnamon-64bit-v2.iso
Here is a newer version of the script file - I have cleaned up the comments and the instructions at the top of the file should make usage clearer. This works the same as the older version.
Code: Select all
#!/bin/bash
#--------------------------------------------------------------------------------------------------------------------
# Save this file as "LM_iso_verify.sh" in a directory on the command PATH, such as ~/bin or ~/.local/bin, and
# make it executable
#
# ******** To check the integrity of the downloaded LMxx.x .iso file: ********
# * Download or move your Mint .iso file to your Downloads folder (or a folder under Downloads, such as
# ~/Downloads/LM_isos).
# * Open a terminal window and change directory (cd) to the folder containing the .iso file.
# * Run the script following this example (substitute the correct name of the .iso file):
# EXAMPLE: LM_iso_verify.sh linuxmint-19-cinnamon-64bit.iso
#--------------------------------------------------------------------------------------------------------------------
# Checking for one parameter on the command line (the .iso file name)
if [ $# -ne 1 ]; then
echo "Usage: $(basename "$0") linuxmint-xx.x-correct-filename.iso"
exit 1
fi
# Checking if that file exists in the working directory and is readable
if [ ! -r "$1" ]; then
echo "File $1 does not exist or is not readable"
exit 1
fi
# Importing the signing key (LM18 and higher)
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
# *** BE SURE THE CORRECT VERSION IS SPECIFIED IN THE "wget" LINES BELOW ! ***
# This is for LM19 versions - modify these wget lines as needed for other versions
# Downloading the sha256 sum.txt and sum.txt.gpg files
# If heanet.ie site isn't working, comment out these two lines and uncomment the wget lines for the alternate site
# or use another alternate of your choice.
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19/sha256sum.txt.gpg
# University of Oklahoma mirror - an alternate site if above heanet.ie isn't working
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19/sha256sum.txt
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19/sha256sum.txt.gpg
# Verifying the signature on the sha256 sum text file
gpg --verify sha256sum.txt.gpg sha256sum.txt
echo "It should report that the signature is Good, $USER."
echo "You can ignore any warning about ...not certified..."
echo "..."
# comparing the sha256 sum of your ISO image and the original Mint sha256 sum
echo "Calculating the sha256 sum for $1 and comparing it to the downloaded signed sha256 sum"
echo "Be patient, $USER. I am not that good at math"
echo "..."
# this line works if Gnu CoreUtils version 8.25 or later is installed (LM18 ? or later)
sha256sum --check --ignore-missing sha256sum.txt
# or if an earlier version of CoreUtils is installed, then
# before running this script, comment the above "sha256sum ....." line and uncomment the following line:
# sha256sum -b *.iso
# you will then need to manually compare the sha256 sum generated to the appropriate line in the sha256sum.txt file
echo "Done."
In theory, theory and practice are the same. In practice, they ain't.