lntegrity wrote: ⤴Fri Aug 17, 2018 2:20 pm
The problem I stumbled upon was when I did the Integrity check. I used the terminal with the commands explained in their guide on "How to verify ISO images" and received the sha256 sum. When I compared the sum with the text document the two didn't match. So, I continued with an authenticity check of the text document. First, I imported the signing key. Then I checked the fingerprint of the signing key and it matched with the fingerprint found in the guide. But when I tried to verify the authenticity of the text document I received
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
What am I supposed to do?
Sounds like your sha256sum.txt is bad. Download it again from this link:
https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt (right click, "Save link as"). Pay attention to how your browser saves it, it's possible that you still had an old version in that folder and when you downloaded again it appended an (1) to the name, so when you then verified the signature you actually checked the wrong file.
Under no circumstances should you install the .iso if it doesn't match the checksum.
Mute Ant wrote: ⤴Fri Aug 17, 2018 3:52 pm
Bad Signature can be simply that you have not told GPG to trust signature 'X'.
Not quite, those are separate things. If you didn't trust the key then the output looks like this:
Code: Select all
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
The "Good signature" part is imperative though, this must never say "Bad signature".