Difficulties verifying ISO image

[MintyMatt]

Hello all,

Thank you very much for taking the time to read my post.

Here's where I am:

I am trying to sort out an old laptop I purchased on EBay for my mother so she can use this instead of her now-poorly functioning Windows laptop.

I downloaded Windows Mint 18.3 onto a USB drive and I have successfully installed this onto the laptop. There were some difficulties getting it to access our WiFi, but this has now been resolved. This was all done a few months ago - the laptop has not been used much since then.

However, I skipped the verifying ISO image stage partly due to confusion over the process. However, if possible, I'd now like to complete this stage as I'd now like this to be my mother's primary computer as her Windows laptop is really playing up. She needs to be able to do internet banking, shopping and read emails securely, and it is my understanding before doing this the ISO image verification is important.

I originally downloaded onto a USB drive using a Windows Laptop using the University of Kent UK Mirror Service page.

I have now gone to try to verify the ISO image, but have run into difficulties using these instructions: https://linuxmint.com/verify.php. I'm going to just number them below to make it easier to write and read.

1) Using the GUI rather than command line, and right clicking in the directory to make a new folder under home to name 'ISO' was unsuccessful, as it was greyed out. However it did allow me to do this under desktop, I'm not sure if that matters or not?

2) The downloads mentioned sha256sum.txt and sha256sum.txt.gpg did not download. Instead they opened up on the webpage with the text. I then decided to go into my new ISO folder and create new text files and copy and paste the next of these into them, and save them under the filenames mentioned, hoping this might work.

3) I did not know if there's a way to find the original ISO image on the laptop, so I used the USB I originally used. I mounted this, and then found a file called linuxISO. I copied this into the folder. I do wonder whether this was the correct file or not.

4) When using the command sha256sum -b *.iso - I get the response for .iso "no such file or directory". In an attempt to address this, I tried renaming the file with .iso but this did not work.

If somebody is able to offer any support or guidance with this matter I would be most grateful.

Many thanks,

MintyMatt

[phd21]

Hi MintyMatt,

Welcome to the wonderful world of Linux Mint and its excellent forum!

That is a nice thing to do for anyone especially your mother.

However, I skipped the verifying ISO image stage partly due to confusion over the process. However, if possible, I'd now like to complete this stage as I'd now like this to be my mother's primary computer as her Windows laptop is really playing up. She needs to be able to do internet banking, shopping and read emails securely, and it is my understanding before doing this the ISO image verification is important.

I originally downloaded onto a USB drive using a Windows Laptop using the University of Kent UK Mirror Service page.

I have now gone to try to verify the ISO image, but have run into difficulties using these instructions: https://linuxmint.com/verify.php. I'm going to just number them below to make it easier to write and read.

It is important to make sure the downloaded files and their checksum and signature verification files are in the same directory folder. There are various methods for performing these verification checks depending upon whether you are using MS Windows, Mac, or Linux. The Linux Mint files are frequently checked and are safe to use, but there is always a possibility that the download had issues, so verifying the checksum values will test that. FYI: Using a torrent software and the Linux Mint torrent link will automatically verify the checksum value to make sure it was downloaded properly and completely.

1) Using the GUI rather than command line, and right clicking in the directory to make a new folder under home to name 'ISO' was unsuccessful, as it was greyed out. However it did allow me to do this under desktop, I'm not sure if that matters or not?

In Linux to verify the checksum "hash" values, you can install "GTKhash" from the Software Manager or Synaptic Package Manager (SPM) or use your file manager in Linux Mint 18.x or 19.x and just right-click the file, select properties, click the checksum tab, etc... Keep in mind that these are large files, so it can take a little bit of time before the checksum value is calculated and displayed.

2) The downloads mentioned sha256sum.txt and sha256sum.txt.gpg did not download. Instead they opened up on the webpage with the text. I then decided to go into my new ISO folder and create new text files and copy and paste the next of these into them, and save them under the filenames mentioned, hoping this might work.

It is probably best to right-click those links and choose "save as".

3) I did not know if there's a way to find the original ISO image on the laptop, so I used the USB I originally used. I mounted this, and then found a file called linuxISO. I copied this into the folder. I do wonder whether this was the correct file or not.

If there was really a problem with the iso file, you probably could not install it. You need to have the original iso file or you can download it again to practice verification. You might be able to create an iso file from the USB stick if you want and then test that iso file.

4) When using the command sha256sum -b *.iso - I get the response for .iso "no such file or directory". In an attempt to address this, I tried renaming the file with .iso but this did not work.

The correct iso file is not in the same directory folder as the checksum file or you ran the command someplace other than that folder. You have to run the commands in that folder where the iso file(s) and checksum and signature verification files are located.

Another recent post with links
< solved > Verifying ISO? - Linux Mint Forums
viewtopic.php?f=90&t=282803

Hope this helps ...
.

gtkhash

.

file manager checksum

[MintyMatt]

Hi phd21,

Thank you very much for your response & taking the time to help. Apologies for my delayed reply, I've had a few looks at your reply post but have now sat down to try properly. However I think my brain might not be fully functioning tonight!

I wondered if I could ask a couple of things?

1) I'm struggling to find the correct .iso file to check - will it be on the laptop anywhere, or would it just be on the USB drive I used to upload to the laptop?

2) In the thread you linked to, an 'authenticity check' is mentioned - given that the mirror site I used to download Linux is actually shown on the Mint website, is it safe (or as safe as reasonably possible) to assume this is an authentic Mint image, and not requiring an authenticity check? (in case of malicious amendment)

Many thanks,

Matt

[gm10]

1) I'm struggling to find the correct .iso file to check - will it be on the laptop anywhere, or would it just be on the USB drive I used to upload to the laptop?

2) In the thread you linked to, an 'authenticity check' is mentioned - given that the mirror site I used to download Linux is actually shown on the Mint website, is it safe (or as safe as reasonably possible) to assume this is an authentic Mint image, and not requiring an authenticity check? (in case of malicious amendment)

1) It will be wherever you downloaded it to. If you kept it and didn't delete it after writing it to the USB.

2) It's always safe until the day it isn't. Just because nobody broke into your home in the last X years doesn't mean it won't happen tomorrow. That's why such statements or assumptions are dangerous. What I will say is that corrupt downloads are more likely than manipulated downloads.

[phd21]

Hi MintyMatt,

You are welcome...

I wondered if I could ask a couple of things?
1) I'm struggling to find the correct .iso file to check - will it be on the laptop anywhere, or would it just be on the USB drive I used to upload to the laptop?

Did you download the iso file on a MS Windows system or a Linux system? You can use a find file application and search for "*.iso" to see if the file is still on the system you used to create the USB stick from.

2) In the thread you linked to, an 'authenticity check' is mentioned - given that the mirror site I used to download Linux is actually shown on the Mint website, is it safe (or as safe as reasonably possible) to assume this is an authentic Mint image, and not requiring an authenticity check? (in case of malicious amendment)

It is more than reasonable to assume that the files on the Linux Mint website are authentic. But, prudence suggests validating the checksum (hash) value of the iso file to its checksum value in the checksum file to make sure it downloaded correctly.

Hope this helps ...

[slipstick]

The easiest way to do this, IMO, in Linux is to use a script file. You can copy the file below and name it "LM18.3_iso_verify" and store it in your "/home/<your user name>/bin" or "/home/<your user name>/.local/bin" directory - either one should be on the command PATH. Now give the file execute permission for the owner - you should be able to do this from your file manager (right click on the file name and select properties->permissions). This file example is for LM18.3 Cinnamon - change the name if you use MATE or Xfce. The cool thing about using a script file like this is that you can reuse it every time you have to verify and authenticate a Mint iso - just update the sha256sum locations before you run the script.

After you have the script file saved, make a folder in your Downloads directory and name it, for example, LM_isos. Move your .iso file into that folder. Open a terminal window, cd to the folder where the .iso is located, type in the command

Code: Select all

LM18.3_iso_verify.sh linuxmint-18.3-cinnamon-64bit.iso

and wait for the script to both verify and authenticate the .iso. (The script will automatically download the two sha256sum files needed).

Here's the script to copy:

Code: Select all

#!/bin/bash

#--------------------------------------------------------------------------------------------------------------------
# Save this file as "LM18.3_iso_verify.sh" in a directory on the command PATH, such as ~/bin or ~/.local/bin, and
#  make it executable
#
#          ********  To check the integrity of the downloaded LMxx.x .iso file: ********

#  * Download or move your Mint .iso file to your Downloads folder (or a folder under Downloads, such as
#    ~/Downloads/LM_isos).

#  * Open a terminal window and change directory (cd) to the folder containing the .iso file.

#  * Run the script following this example (substitute the correct name of the .iso file):
#      EXAMPLE:   LM18.3_iso_verify.sh  linuxmint-18.3-cinnamon-64bit.iso
#--------------------------------------------------------------------------------------------------------------------



# Checking for one parameter on the command line (the .iso file name)
if [ $# -ne 1 ]; then
	echo "Usage: $(basename "$0") linuxmint-xx.x-correct-filename.iso"
	exit 1
fi

# Checking if that file exists in the working directory and is readable
if [ ! -r "$1" ]; then
	echo "File $1 does not exist or is not readable"
	exit 1
fi

# Importing the signing key (LM18 and higher)
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"


# *** BE SURE THE CORRECT VERSION IS SPECIFIED IN THE "wget" LINES BELOW ! ***
# This is for LM18.3 versions - modify these wget lines as needed for other versions

# Downloading the sha256 sum.txt and sum.txt.gpg files

# If heanet.ie site isn't working, comment out these two lines and uncomment the wget lines for the alternate site
#    or use another alternate of your choice.
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt.gpg

# University of Oklahoma mirror - an alternate site if above heanet.ie isn't working
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt.gpg




# Verifying the signature on the sha256 sum text file
gpg --verify sha256sum.txt.gpg sha256sum.txt
echo "It should report that the signature is Good, $USER."
echo "You can ignore any warning about ...not certified..."
echo "..."

# comparing the sha256 sum of your ISO image and the original Mint sha256 sum
echo "Calculating the sha256 sum for $1 and comparing it to the downloaded signed sha256 sum"
echo "Be patient, $USER. I am not that good at math"
echo "..."

# this line works if Gnu CoreUtils version 8.25 or later is installed (LM18 ? or later)
sha256sum --check --ignore-missing sha256sum.txt

# or if an earlier version of CoreUtils is installed, then
#  before running this script, comment the above "sha256sum ....." line and uncomment the following line:
# sha256sum -b *.iso
#  you will then need to manually compare the sha256 sum generated to the appropriate line in the sha256sum.txt file


echo "Done."

and here's what you should see when you run it - note that I first cd'ed into the Downloads/LM_isos folder, then listed the files there before starting the script:

Code: Select all

steve@steve-Z97X ~ $ cd Downloads/LM_isos
steve@steve-Z97X ~/Downloads/LM_isos $ ll
total 1855020
drwxrwxr-x 2 steve steve       4096 Dec 16 20:06 ./
drwxr-xr-x 9 steve steve       4096 Dec 16 17:56 ../
-rw-r--r-- 1 steve steve 1899528192 Jan  5  2018 linuxmint-18.3-cinnamon-64bit.iso
steve@steve-Z97X ~/Downloads/LM_isos $ LM18.3_iso_verify.sh linuxmint-18.3-cinnamon-64bit.iso
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
--2018-12-16 20:14:03--  https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 774 [text/plain]
Saving to: ‘sha256sum.txt’

sha256sum.txt                 100%[=================================================>]     774  --.-KB/s    in 0s      

2018-12-16 20:14:03 (39.7 MB/s) - ‘sha256sum.txt’ saved [774/774]

--2018-12-16 20:14:04--  https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt.gpg
Resolving ftp.heanet.ie (ftp.heanet.ie)... 193.1.193.64, 2001:770:18:aa40::c101:c140
Connecting to ftp.heanet.ie (ftp.heanet.ie)|193.1.193.64|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819 [text/plain]
Saving to: ‘sha256sum.txt.gpg’

sha256sum.txt.gpg             100%[=================================================>]     819  --.-KB/s    in 0s      

2018-12-16 20:14:04 (41.5 MB/s) - ‘sha256sum.txt.gpg’ saved [819/819]

gpg: Signature made Wed 13 Dec 2017 10:16:15 AM CST using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
It should report that the signature is Good, steve.
You can ignore any warning about ...not certified...
...
Calculating the sha256 sum for linuxmint-18.3-cinnamon-64bit.iso and comparing it to the downloaded signed sha256 sum
Be patient, steve. I am not that good at math
...
linuxmint-18.3-cinnamon-64bit.iso: OK
Done.
steve@steve-Z97X ~/Downloads/LM_isos $ 

[Spiderspoon]

I copied a line out of your script to import the signing key and it seemed to work.
Next step.

Code: Select all

gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Tue 18 Dec 2018 06:58:03 AEDT using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

Is this good or not?
It says good signature, but the next 2 lines bother me.
Thanks.

[karlchen]

Hello, spiderspoon.

Yes, authentication has been confirmed in your case.

As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" that means your download is authentic. In case it was tampered with the message would be BAD signature from ....

The official verification page expresses the same thing, only wording it differenlty:

Note: Unless you trusted this signature in the past, or a signature which trusted it, GPG should warn you that the signature is not trusted. This is expected and perfectly normal.

Best regards,
Karl

[Spiderspoon]

Thanks. My problem yesterday was with the instructions on the page
https://linuxmint-installation-guide.re ... erify.html
On that page it says
Import the Linux Mint signing key:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

But doing this, I could not import the signing key.
What worked was this, as posted by Slipstick:

gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
Now this line is slightly different. Is there something wrong with the official instructions?
Thanks.

[Spiderspoon]

The easiest way to do this, IMO, in Linux is to use a script file.

So if I copy your script, what do I save it into? Just a simple text document? And then look for things to change in to the current situation, such as the folder I am going to use for ISOs and the version that I am upgrading to.

Thanks

[slipstick]

Now this line is slightly different. Is there something wrong with the official instructions?

See this explanation from "gm10":
viewtopic.php?f=46&t=291771#p1619558

The easiest way to do this, IMO, in Linux is to use a script file.

So if I copy your script, what do I save it into? Just a simple text document? And then look for things to change in to the current situation, such as the folder I am going to use for ISOs and the version that I am upgrading to.

Thanks

Yes, it's a text document, but you need to make it executable. Either use your file manager (in Nemo, highlight the file name, right click, select properties, open the permissions tab), or you can do it in the terminal if you know how. If you put the script file in your ~/bin or ~/.local/bin folder, you can execute it just by entering the name of the script file. See the instructions at the top of the script file for usage. The only thing you might need to change are the two "wget" statements - change 18.3 to 19.1 in those statements, if that's what you want to check. Or use this one, that I have already set for 19.1.

Code: Select all

#!/bin/bash

#--------------------------------------------------------------------------------------------------------------------
# Save this file as "LM_iso_verify.sh" in a directory on the command PATH, such as ~/bin or ~/.local/bin, and
#  make it executable
#
#          ********  To check the integrity and authenticity of the downloaded LMxx.x .iso file: ********

#  * Download or move your Mint .iso file to your Downloads folder (or a folder under Downloads, such as
#    ~/Downloads/LM_isos).

#  * Open a terminal window and change directory (cd) to the folder containing the .iso file.

#  * Run the script following this example (substitute the correct name of the .iso file):
#      EXAMPLE:   LM_iso_verify.sh  linuxmint-19.1-cinnamon-64bit.iso
#--------------------------------------------------------------------------------------------------------------------



# Checking for one parameter on the command line (the .iso file name)
if [ $# -ne 1 ]; then
	echo "Usage: $(basename "$0") linuxmint-xx.x-correct-filename.iso"
	exit 1
fi

# Checking if that file exists in the working directory and is readable
if [ ! -r "$1" ]; then
	echo "File $1 does not exist or is not readable"
	exit 1
fi

# Importing the signing key (LM18 and higher)
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"


# *** BE SURE THE CORRECT VERSION IS SPECIFIED IN THE "wget" LINES BELOW ! ***
# This is for LM19.1 versions - modify these wget lines as needed for other versions

# Downloading the sha256 sum.txt and sum.txt.gpg files

# If heanet.ie site isn't working, comment out these two lines and uncomment the wget lines for the alternate site
#    or use another alternate of your choice.
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19.1/sha256sum.txt
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/19.1/sha256sum.txt.gpg

# University of Oklahoma mirror - an alternate site if above heanet.ie isn't working
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19.1/sha256sum.txt
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/19.1/sha256sum.txt.gpg




# Verifying the signature on the sha256 sum text file
gpg --verify sha256sum.txt.gpg sha256sum.txt
echo "It should report that the signature is Good, $USER."
echo "You can ignore any warning about ...not certified..."
echo "..."

# comparing the sha256 sum of your ISO image and the original Mint sha256 sum
echo "Calculating the sha256 sum for $1 and comparing it to the downloaded signed sha256 sum"
echo "Be patient, $USER. I am not that good at math"
echo "..."

# this line works if Gnu CoreUtils version 8.25 or later is installed (LM18 ? or later)
sha256sum --check --ignore-missing sha256sum.txt

# or if an earlier version of CoreUtils is installed, then
#  before running this script, comment the above "sha256sum ....." line and uncomment the following line:
# sha256sum -b *.iso
#  you will then need to manually compare the sha256 sum generated to the appropriate line in the sha256sum.txt file


echo "Done."

You can put your downloaded iso file anywhere you want, but when you open a terminal to use the script, you must cd to the directory where the iso file is located before running the script.

[Spiderspoon]

# Save this file as "LM_iso_verify.sh" in a directory on the command PATH, such as ~/bin or ~/.local/bin, and
# make it executable

I've made the executable file, edited, gave it the right name and made it executable, but I can't save it in the bin folder.

john@ASUS-Laptop ~/ISO $ LM_iso_verify.sh linuxmint-19.1-cinnamom-64bit.iso
LM_iso_verify.sh: command not found

How do you move a file into the bin folder?
Thanks.

[slipstick]

You don't put it into the /bin system folder owned by root. Put it into your ~/bin folder or your ~/.local/bin folder. Note ~stands for your home folder, so ~/bin is the same as /home/username/bin where username is your user name. For example, on my system, I put the file into /home/steve/bin. Both of those folders should be on the command path. You can check the path by executing echo $PATH.