How to verify the ISO image on Windows

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

How to verify the ISO image on Windows

Post by gm10 » Thu Mar 28, 2019 5:02 pm

Since the image file verification remains an issue for many Windows users, here's a detailed guide on how to do it on Windows. This guide assumes you are using Windows 7, 8 or 10. It might work on older versions of Windows but my memory on those is hazy. It also assumes that you do not have the Windows Subsystem for Linux installed on Windows 10, because then you could just use the Linux instructions and probably don't need this guide.

Preparation
  1. First follow the steps in the "Preparation" section of https://linuxmint.com/verify.php for the version you downloaded. Make sure to really right click > Save as... as it tells you to. It makes a difference. Note that it does not matter where exactly you put the files as long as they are all in the same folder and keep their original names.
  2. Then browse to https://www.gnupg.org/download/index.html and download and install the Windows installer for GnuPG. It is this download:

    Image

    For the purposes of this guide it does not matter whether you install the program as administrator or not, so just click yes to install to install without administrator rights if it asks you.
  3. Now find the folder containing the files you downloaded in the first step, hold Shift while right-clicking it (the folder, not the files in it). Select to open a command window:

    Image

    Depending on your version of Windows it is also possible that the option is called like this:
    Image
    Use whichever you've got available but if you used the PowerShell option then type cmd followed by Enter into the window.
Integrity Check
  • Type this command into the command window while replacing the filename.iso part with the actual name of the .iso file you downloaded.

    Code: Select all

    CertUtil -hashfile filename.iso SHA256
    Note that if you start typing a filename you can press Tab to automatically complete it.

    Press Enter to run the command. This will take a little while to complete and eventually present you with an alphanumeric sequence that is called a hash. If this hash is identical to the one listed in your sha256sum.txt then the integrity check passed. You can compare them by hand or better use the find command.
    .
  • Here's a screenshot of the complete sequence of commands (don't mind the folder location on my system):

    Image
    .
    If the same hash is not found in sha256sum.txt then your downloaded .iso did not pass the integrity check. Make sure you downloaded the correct sha256sum.txt and if yes, try to download the .iso again from a different mirror server. Then check the integrity again.
    .
  • Never install from an .iso that failed the integrity check.

Authenticity Check

For the authenticity check we use the same commands as described on https://linuxmint.com/verify.php:
  1. Copy & paste this command into the command window and press Enter to run it:

    Code: Select all

    gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    For some users this fails with a keyserver or network error, in that case (and only then) please try this variant instead:

    Code: Select all

    gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    or this one:

    Code: Select all

    gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
    If it's failing on all of those maybe try again later - the server might be down - otherwise you're out of luck.
  2. Now copy & paste this command into the command window and press Enter to run it:

    Code: Select all

    gpg --verify sha256sum.txt.gpg sha256sum.txt
  3. The output from those two commands will look something like this (don't worry if it looks slightly different, the only relevant part is listed below the screenshot):

    Image
    .
    As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" that means your download is authentic. In case it was tampered with the message would be BAD signature from ....

Finally
Last edited by gm10 on Sun Jun 23, 2019 11:21 pm, edited 12 times in total.

User avatar
JoeFootball
Level 7
Level 7
Posts: 1803
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: How to verify the ISO image on Windows

Post by JoeFootball » Fri Mar 29, 2019 8:35 am

Well done! :)

Joe

Starkman
Level 3
Level 3
Posts: 104
Joined: Mon Jun 20, 2016 1:19 pm
Location: Oregon, USA

Re: How to verify the ISO image on Windows

Post by Starkman » Fri Mar 29, 2019 10:31 am

This helps, but I think it needs some tweaking.

1.) The reference to https://linuxmint.com/verify.php leads one to click on their version to download. Doing so tells them to download two files: a .txt and a .gpg. Sadly, these files cannot be downloaded by a Windows user.

2. Regardless of whether one holds Shift or not while clicking either of these three files, the option to open a Command line in Windows does not appear; a PowerShell window may open if one right-clicks the open area in the folder, but that's about it.

Otherwise, the instructions we easy to follow.

Thanks.
Starkman

Six to seven-year-old home-built Intel i3, spinner drive, Mint 19.1

User avatar
karlchen
Level 20
Level 20
Posts: 10852
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen » Fri Mar 29, 2019 10:45 am

Hello, Starkman.

Ad 1.)
Of course, the 2 files sha256sum.txt and sha256sum.txt.gpg, can be downloaded even by poor Windows users. Provided they know that right-clicking on a link and selecting "Save As ..." from the context menu will work on Windows as well. :wink:

Ad 2.)
Misunderstanding on your side: gm10 tells to hold the shift key and right-click on the folder where you saved the 2 files mentioned above and the ISO image file.
gm10 wrote:
Thu Mar 28, 2019 5:02 pm
Now find the folder containing the files you downloaded in the first step, hold Shift while right-clicking it. Select to open a command window:
Regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.22a 64-bit
Ubuntu 18.04.2 32-bit Mate Desktop, Total Commander 9.22a 32-bit
Windows? - 1 window in every room

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: How to verify the ISO image on Windows

Post by gm10 » Fri Mar 29, 2019 10:50 am

Starkman wrote:
Fri Mar 29, 2019 10:31 am
This helps, but I think it needs some tweaking.

1.) The reference to https://linuxmint.com/verify.php leads one to click on their version to download. Doing so tells them to download two files: a .txt and a .gpg. Sadly, these files cannot be downloaded by a Windows user.

2. Regardless of whether one holds Shift or not while clicking either of these three files, the option to open a Command line in Windows does not appear; a PowerShell window may open if one right-clicks the open area in the folder, but that's about it.
Thanks for the feedback. Good point regarding PowerShell, I amended the guide with that. It already said you were supposed to right click the folder, not the files though (I made it even clearer).

Regarding your 1), I am linking there exactly for the reason that I want the user to download those two files. As karlchen said, there is no problem with downloading them on Windows. If you explain your trouble with that I'm sure we can help you out.

Starkman
Level 3
Level 3
Posts: 104
Joined: Mon Jun 20, 2016 1:19 pm
Location: Oregon, USA

Re: How to verify the ISO image on Windows

Post by Starkman » Fri Mar 29, 2019 11:01 am

Karl,

Okay, you got me on the right-click > Save Link As... I am no "poor" windows user, but I have to say I have never tried (nor needed to try) clicking a "link" to download it as a file, thinking that I could choose Save Link As a file instead of...a LINK, not a file (after all, it is a link, not a file). This is the first time that I can recall ever coming across this So, you got me there. But hey, we all learn something new here and there, do we not?

Thanks.
Starkman

Six to seven-year-old home-built Intel i3, spinner drive, Mint 19.1

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: How to verify the ISO image on Windows

Post by gm10 » Fri Mar 29, 2019 11:20 am

Starkman wrote:
Fri Mar 29, 2019 11:01 am
Okay, you got me on the right-click > Save Link As... I am no "poor" windows user, but I have to say I have never tried (nor needed to try) clicking a "link" to download it as a file, thinking that I could choose Save Link As a file instead of...a LINK, not a file (after all, it is a link, not a file). This is the first time that I can recall ever coming across this So, you got me there. But hey, we all learn something new here and there, do we not?
We understand, it's why we explicitly state in the instructions to right-click, I'm not sure we can make that clearer. Maybe we'll end up having to bold and underline it. ;)

Starkman
Level 3
Level 3
Posts: 104
Joined: Mon Jun 20, 2016 1:19 pm
Location: Oregon, USA

Re: How to verify the ISO image on Windows

Post by Starkman » Fri Mar 29, 2019 11:23 am

I was so sure I read it to right-click a file, not a folder. And this after I just got new glasses! And, to boot, there's no more beer in the fridge to numb me after this horrible, embarrassing ordeal: that I can right click a LINK, for pete's sake, and save it as a file. Who knew!

Thanks much.
Starkman

Six to seven-year-old home-built Intel i3, spinner drive, Mint 19.1

Raging Beaver
Level 1
Level 1
Posts: 2
Joined: Wed Apr 03, 2019 8:39 am

Re: How to verify the ISO image on Windows

Post by Raging Beaver » Wed Apr 03, 2019 8:44 am

When I try to execute this command:

Code: Select all

gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"
I get this error message:

Code: Select all

gpg : The term 'gpg' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+  gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key "27DE B15 ...
+  ~~~
    + CategoryInfo          : ObjectNotFound: (gpg:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: How to verify the ISO image on Windows

Post by gm10 » Wed Apr 03, 2019 9:11 am

Raging Beaver wrote:
Wed Apr 03, 2019 8:44 am
Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.
Sounds like you didn't install GnuPG (step 2 of the Preparation section).

Raging Beaver
Level 1
Level 1
Posts: 2
Joined: Wed Apr 03, 2019 8:39 am

Re: How to verify the ISO image on Windows

Post by Raging Beaver » Wed Apr 03, 2019 9:17 am

gm10 wrote:
Wed Apr 03, 2019 9:11 am
Raging Beaver wrote:
Wed Apr 03, 2019 8:44 am
Anyone know a solution or what I might have done wrong? I was able to follow all the steps up to this point with no problem.
Sounds like you didn't install GnuPG (step 2 of the Preparation section).
Oh. I had the installer downloaded but I guess I forgot to do anything with it. Thanks.

Maxmagicbanana
Level 1
Level 1
Posts: 2
Joined: Wed Apr 10, 2019 6:22 pm

Re: How to verify the ISO image on Windows

Post by Maxmagicbanana » Wed Apr 10, 2019 6:29 pm

So I got the first few step good but whe nI went to verified the iso with the last command it showed me this line

Code: Select all

PS C:\Users\maxmagicbanana\Desktop\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory
SO I'm not to sure how to get it to work.

User avatar
karlchen
Level 20
Level 20
Posts: 10852
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen » Wed Apr 10, 2019 6:40 pm

Hi, Maxmagicbanana.

Code: Select all

PS C:\Users\maxmagicbanana\Desktop\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: impossible d'ouvrir « sha256sum.txt.gpg » : No such file or directory
gpg: verify signatures failed: No such file or directory
You have verified that both files, sha256sum.txt.gpg and sha256sum.txt, are located in the same folder, in folder C:\Users\maxmagicbanana\Desktop\Linux?

Regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.22a 64-bit
Ubuntu 18.04.2 32-bit Mate Desktop, Total Commander 9.22a 32-bit
Windows? - 1 window in every room

Maxmagicbanana
Level 1
Level 1
Posts: 2
Joined: Wed Apr 10, 2019 6:22 pm

Re: How to verify the ISO image on Windows

Post by Maxmagicbanana » Thu Apr 11, 2019 1:27 pm

Yes all the files are in the same folder.

jhglmforums
Level 1
Level 1
Posts: 2
Joined: Fri Apr 12, 2019 2:43 pm

Re: How to verify the ISO image on Windows

Post by jhglmforums » Fri Apr 12, 2019 2:48 pm

Hello,

I get "gpg: could not parse keyserver URL" at step 1) of the authenticity check.

Joe

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to verify the ISO image on Windows

Post by xenopeek » Fri Apr 12, 2019 3:03 pm

There was a typo in this command:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

Was that the one giving you an error? Try again with above command. I also fixed it in the first post in this topic.
Image

jhglmforums
Level 1
Level 1
Posts: 2
Joined: Fri Apr 12, 2019 2:43 pm

Re: How to verify the ISO image on Windows

Post by jhglmforums » Fri Apr 12, 2019 3:17 pm

xenopeek wrote:
Fri Apr 12, 2019 3:03 pm
There was a typo in this command:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

Was that the one giving you an error? Try again with above command. I also fixed it in the first post in this topic.
Yup, that was it! Thanks for updating the tutorial.

Joe

monotoned
Level 1
Level 1
Posts: 2
Joined: Sat Apr 13, 2019 8:23 am

Re: How to verify the ISO image on Windows

Post by monotoned » Sat Apr 13, 2019 8:32 am

This is a really dumb question, but how do you use the find command? I typed: find "copied and pasted hash here" sha256sum.txt and got FIND: Parameter format not correct. However it matches when I do ctrl+f directly in the text file itself. Sorry about something so basic as this, I'm a long-time windows user trying to make a switch. Thank you in advanced!

User avatar
karlchen
Level 20
Level 20
Posts: 10852
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen » Sat Apr 13, 2019 8:41 am

Hello, monotoned.

The Windows find command is used to find strings inside text files.
The Linux find command, however, is used to find files or directories, based on various search criteria. It does not look for strings inside text files.
The Linux command grep is what corresponds to the Windows find command.

More details on Linux find and grep:

Code: Select all

find --help
man find

grep --help
man grep
HTH,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.22a 64-bit
Ubuntu 18.04.2 32-bit Mate Desktop, Total Commander 9.22a 32-bit
Windows? - 1 window in every room

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: How to verify the ISO image on Windows

Post by gm10 » Sat Apr 13, 2019 8:57 am

karlchen thx but this is a guide for Windows so the Linux command really doesn't matter in this context. ;)
monotoned wrote:
Sat Apr 13, 2019 8:32 am
This is a really dumb question, but how do you use the find command? I typed: find "copied and pasted hash here" sha256sum.txt and got FIND: Parameter format not correct.
Not a dumb question at all but a shortcoming of my guide actually. Thanks for bringing this to my attention.

I had originally not written it with PowerShell in mind, was reminded of it later in this thread but didn't consider the implications for the find command. In PowerShell you'd need to use triple quotes """hash""". I'll adjust the guide to make everybody use cmd.exe, it's simpler.

Your Ctrl+F manual check is completely sufficient though so you do not need to do it again, using find was meant to simplify things, not complicate them as happened here. ;)

Post Reply

Return to “Tutorials”