gpg: BAD signature when verifying sha256sum.txt

[lntegrity]

I am currently trying to verify my Linux Mint ISO. I began with downloading the ISO from one of their Mirrors and then continued with downloading the verification files.

The problem I stumbled upon was when I did the Integrity check. I used the terminal with the commands explained in their guide on "How to verify ISO images" and received the sha256 sum. When I compared the sum with the text document the two didn't match. So, I continued with an authenticity check of the text document. First, I imported the signing key. Then I checked the fingerprint of the signing key and it matched with the fingerprint found in the guide. But when I tried to verify the authenticity of the text document I received
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

What am I supposed to do?

[Mute Ant]

Bad Signature can be simply that you have not told GPG to trust signature 'X'. It won't improve the download though. I would ignore the Signature for now and concentrate on getting your ISO image the same as everyone else's.

• The bit-torrent system can correct a bad download if you use it like this...
  o Save the torrent magnet link to your Downloads folder.
  o Start the torrent system so a full-sized ISO appears.
  o Close the torrent program.
  o Replace the big-but-virtually-empty file with your Will-Not-Verify ISO using exactly the same name.
  o Start the torrent program again. Force a 'Check Local Data' on the download if it doesn't do it automatically.
  o Wait for the torrent to complete the checksummed download.

A large bit-torrent is split into hundreds of fragments fetched from any peer that offers, so checksums and verification are built-in to any torrent download. If you were to offer a damaged ISO as an upload, other peers would reject fragments that didn't match the original.

[gm10]

The problem I stumbled upon was when I did the Integrity check. I used the terminal with the commands explained in their guide on "How to verify ISO images" and received the sha256 sum. When I compared the sum with the text document the two didn't match. So, I continued with an authenticity check of the text document. First, I imported the signing key. Then I checked the fingerprint of the signing key and it matched with the fingerprint found in the guide. But when I tried to verify the authenticity of the text document I received
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

What am I supposed to do?

Sounds like your sha256sum.txt is bad. Download it again from this link: https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt (right click, "Save link as"). Pay attention to how your browser saves it, it's possible that you still had an old version in that folder and when you downloaded again it appended an (1) to the name, so when you then verified the signature you actually checked the wrong file.

Under no circumstances should you install the .iso if it doesn't match the checksum.

Bad Signature can be simply that you have not told GPG to trust signature 'X'.

Not quite, those are separate things. If you didn't trust the key then the output looks like this:

Code: Select all

gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!

The "Good signature" part is imperative though, this must never say "Bad signature".

[lntegrity]

I'm not sure that's the cause. When I manually compare the ISO generated SHA256 it's not the same as the text document. The difference is the whole sum:

lmde-3-cinnamon-64bit-beta.iso:
06e651f08520f7113c3d2dab07a0f17cd01130a53e01adbd336e74af811a14b6 *lmde-3-cinnamon-64bit-beta.iso
sha256.txt:
a48133b97ae6c0ce906edcd883d2c41e0a5927caae8ce159d51ad68cd7781841 *lmde-3-cinnamon-64bit-beta.iso

Thanks :) But this one doesn't include lmnd. Should had specified which edition I got.

Where can I find more mirrors?

[Mute Ant]

Digest functions like MD5SUM and SHA256SUM are designed so that each bit in the file affects around 50% of the bits in the digest. That makes it very difficult to get a correct digest by accident. If the digest of your ISO file is wrong, you can't expect to use it for installation. The digest alone can't estimate the extent of the damage. If your ISO is the same as everyone else's, the digest will match, perfectly.

As a quick test you can Google a48133b97ae6c0ce906edcd883d2c41e0a5927caae8ce159d51ad68cd7781841 which shows several relevant 'Cindy' hits... that's what you are supposed to get.

[gm10]

When I manually compare the ISO generated SHA256 it's not the same as the text document. The difference is the whole sum:

lmde-3-cinnamon-64bit-beta.iso:
06e651f08520f7113c3d2dab07a0f17cd01130a53e01adbd336e74af811a14b6 *lmde-3-cinnamon-64bit-beta.iso
sha256.txt:
a48133b97ae6c0ce906edcd883d2c41e0a5927caae8ce159d51ad68cd7781841 *lmde-3-cinnamon-64bit-beta.iso

I can confirm that the hash from your sha256sum.txt that you posted is correct. That means that your download is corrupt. Download it again, best using another mirror or the torrent: https://www.linuxmint.com/edition.php?id=259

Thanks But this one doesn't include lmnd. Should had specified which edition I got.

Yep, this one's on you because you're actually posting in the wrong forum. We've got a separate forum section for LMDE3, this here is for Ubuntu based Linux Mint so naturally I gave you the link pertaining to that.

[lntegrity]

Yep, this one's on you because you're actually posting in the wrong forum. We've got a separate forum section for LMDE3, this here is for Ubuntu based Linux Mint so naturally I gave you the link pertaining to that.

My bad

Thanks everyone for the answers.