How to verify the ISO image on Windows

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Locked
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

astroannie wrote: Fri Jun 28, 2019 3:53 pm I'm getting this message:

Code: Select all

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
I'm expecting this is not a pass. After several BAD ISO's I'm trying for a good.
Assuming you typed the command line exactly as I wrote (and didn't switch the argument order or something like that), this means that the file sha256sum.txt.gpg is bad, try to download it again.
Sutla

Re: How to verify the ISO image on Windows

Post by Sutla »

In the original instruction this comment was left; "In most Linux distributions the SHA256 sum can be generated by opening a terminal and running the following commands:"
The problem with these instructions is that while many might understand Linux and the terminology, most that want to try this for the first time will have no clue.
This simple process of verification is very off putting and makes many, I assume, turn around at the door.
I have used Linux Mint 18 Cinnamon before and found the software a pure delight in many regards.
Currently I want it dual booted with Windows as I am using a few apps for which there is no Linux options.
On the previous install I skipped the verification and was lucky enough to get a good install. This time round I have found an issue and can't be sure my download is good. The most logical thing to do is to verify my download first before downloading it a second time or before looking for problems elsewhere.
The instructions here and on the verification page have me ready to quit on installing the software.

What is a terminal???? I believe it is the same as a DOS command window but can't be sure and because I am still working on a Windows system and not yet on Linux this makes it even more confusing. I do not see the term "terminal" commonly used by Windows users.

Another problem I have run into is that on both Firefox and Chrome when right clicking on the "sha256sum.txt" file the option to save is not available but only an option to "save link as...". I am sure "save as" and "save link as" is not the same thing.
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen »

Hello, Sutla.

I am not sure why you complain about gm10's instruction on "How to verify the ISO image on Windows", post #1 in this thread here.
I checked the instruction for the Linux term terminal; and I did not find it. gm10 explains the procedure in Windows terms for Windows users.
So why do you complain to him about terms only used in the genuine Linux instruction?

The reason why gm10 created his tutorial "How to verify the ISO image on Windows" was precisely that the Linux instruction is only usable (unmodified) on Linux and that Windows users, who have not got any Linux system, yet, need an instruction, which they can follow on the Windows system, which they have got and which they are used to.

gm10 is really the wrong person to complain to about how complicated the procedure is.

Actually it is not. Once you have understood how it works:
+ You download the needed ISO image file
+ You find out what the sha256 checksum of the downloaded file is.
+ You compare your sha256 checksum to the official sha256 checksums list, published by the Mint makers.
+ If they match, your ISO image has been downloaded correctly and not been tampered with.
+ But wait: the published sha256 checksums list might have been manipulated by bad guys.
+ So now you check that the sha256 checksums list is genuine.
+ In case it is, all is good. No manipulation occurred.

Regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

Sutla wrote: Sat Jul 27, 2019 9:20 am In the original instruction this comment was left; "In most Linux distributions the SHA256 sum can be generated by opening a terminal and running the following commands:"
The problem with these instructions is that while many might understand Linux and the terminology, most that want to try this for the first time will have no clue.
This simple process of verification is very off putting and makes many, I assume, turn around at the door.
I have used Linux Mint 18 Cinnamon before and found the software a pure delight in many regards.
Currently I want it dual booted with Windows as I am using a few apps for which there is no Linux options.
On the previous install I skipped the verification and was lucky enough to get a good install. This time round I have found an issue and can't be sure my download is good. The most logical thing to do is to verify my download first before downloading it a second time or before looking for problems elsewhere.
The instructions here and on the verification page have me ready to quit on installing the software.

What is a terminal???? I believe it is the same as a DOS command window but can't be sure and because I am still working on a Windows system and not yet on Linux this makes it even more confusing. I do not see the term "terminal" commonly used by Windows users.
This thread is about my tutorial for doing it on Windows. Your comments are about the Linux instructions and thus not helpful in this thread. If you want to suggest improvements to the Linux instructions best create a thread in the suggestions forum.
Sutla wrote: Sat Jul 27, 2019 9:20 am Another problem I have run into is that on both Firefox and Chrome when right clicking on the "sha256sum.txt" file the option to save is not available but only an option to "save link as...". I am sure "save as" and "save link as" is not the same thing.
I had hoped that any mildly intelligent person would be able to extrapolate from "Save as" to their actual "Save XXX as" option, however I take your point and added "(exact wording varies depending on your browser)" to the guide to remove any doubt. I cannot edit the Linux instructions on the web site so see above regarding a suggestions thread.
MxRockatansky
Level 1
Level 1
Posts: 16
Joined: Mon Jul 29, 2019 7:36 am

Re: How to verify the ISO image on Windows

Post by MxRockatansky »

I'm repeatedly getting a hash (that seems consistent across multiple download mirrors) different to the sha256sum.txt file, starting 7b53. I'm trying to download 19.1 Xfce 64 bit on a Windows 7 comp. Can anyone help?
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: How to verify the ISO image on Windows

Post by karlchen »

Hello, McRockatansky.

This is the official sha256 checksum for Mint 19.1 64-bit xfce (linuxmint-19.1-xfce-64bit.iso):
7b53b29a34cfef4ddfe24dac27ee321c289dc2ed8b0c1361666bbee0f6ffa9f4 *linuxmint-19.1-xfce-64bit.iso
Cf. this file (Mint 19.1) sha256sum.txt

In case you keep on getting a different sha256 checksum, the question raises, whether you really downloaded this ISO: linuxmint-19.1-xfce-64bit.iso
In case you get precisely this sha256 checksum, but your sha256sum.txt file does not list it, the question raises, whether you downloaded the sha256sum.txt for a different Mint release perhaps.

Regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
MxRockatansky
Level 1
Level 1
Posts: 16
Joined: Mon Jul 29, 2019 7:36 am

Re: How to verify the ISO image on Windows

Post by MxRockatansky »

Ok, thanks. I didn't realise the sha256sum contained all the versions, I just compared the start of mine with the start of the file. Opening it in browser makes it obvious because there's line breaks, but in notepad I missed that the text kept going. And I think the find command failed because I put in spaces. My bad, thanks for the assist!
momist
Level 4
Level 4
Posts: 248
Joined: Mon May 21, 2012 3:30 pm
Location: Lancashire, Northwest England

Re: How to verify the ISO image on Windows

Post by momist »

Hi. I'm trying to download and verify the latest 19.2 Cinnamon image. I've got as far as a satisfactory integrity check, but have trouble with the authenticity check. When I follow the instructions (I think correctly) I get this report:

gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: key 300F846BA25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
PS C:\Users\stewa\Downloads> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: can't open 'sha256sum.txt.gpg': No such file or directory
gpg: verify signatures failed: No such file or directory

The file in my Downloads directory is called sha256sum.txt.gpg.txt changing it doesn't work.
Please what have I done wrong?
momist : a follower of the Greek god Momer.
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

momist wrote: Sat Aug 03, 2019 5:28 am The file in my Downloads directory is called sha256sum.txt.gpg.txt changing it doesn't work.
Please what have I done wrong?
Quite possibly you didn't download using Right click > Save as as per the instructions and should just delete both sha256sum files and redownload them correctly. Otherwise you can try the command like this:

Code: Select all

gpg --verify sha256sum.txt.gpg.txt sha256sum.txt
momist
Level 4
Level 4
Posts: 248
Joined: Mon May 21, 2012 3:30 pm
Location: Lancashire, Northwest England

Re: How to verify the ISO image on Windows

Post by momist »

Yes, I tried this.

Code: Select all

 gpg --verify sha256sum.txt.gpg.txt sha256sum.txt
gpg: Signature made 07/29/19 17:43:47 GMT Summer Time
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
I'm using a shiny new version of Windows 10, and struggling as I've not touched Windows for nearly 10 years, and that was Win XP!
I did do the right click, as instructed, but it seems windows adds the .txt to the end because it 'recognises' a text file? Deleting the .txt is altering what you've downloaded, so I expect that causes the fail.
I'll try going through it all again.
momist : a follower of the Greek god Momer.
momist
Level 4
Level 4
Posts: 248
Joined: Mon May 21, 2012 3:30 pm
Location: Lancashire, Northwest England

Re: How to verify the ISO image on Windows

Post by momist »

Same result after repeating 'save as'.
momist : a follower of the Greek god Momer.
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

momist wrote: Sat Aug 03, 2019 7:29 am

Code: Select all

gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
so I expect that causes the fail.
Why fail? To quote my guide:
gm10 wrote: Thu Mar 28, 2019 5:02 pm As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" that means your download is authentic.
You're good. ;)

Next steps are creating the installation medium and installing.
momist
Level 4
Level 4
Posts: 248
Joined: Mon May 21, 2012 3:30 pm
Location: Lancashire, Northwest England

Re: How to verify the ISO image on Windows

Post by momist »

Ah!! "Note: Unless you trusted this signature in the past, or a signature which trusted it, GPG should warn you that the signature is not trusted. This is expected and perfectly normal." Sorry everyone, I missed that. :oops:
momist : a follower of the Greek god Momer.
momist
Level 4
Level 4
Posts: 248
Joined: Mon May 21, 2012 3:30 pm
Location: Lancashire, Northwest England

Re: How to verify the ISO image on Windows

Post by momist »

Thanks GM10 for your help here. I'm brain-fogged this morning from an illness I have, but no excuse. I should have read it more carefully. I'm now good to go once the new SSD arrives today. It'll be a relief to be back on Linux Mint, I'm missing it after a stupid error which left me in disaster recovery.
momist : a follower of the Greek god Momer.
User avatar
busdriver12
Level 3
Level 3
Posts: 182
Joined: Mon Aug 12, 2019 9:34 am
Location: Perth WA
Contact:

Re: How to verify the ISO image on Windows

Post by busdriver12 »

Sorry to pile on, but I too am having problems with the process. I am running Win7 and have saved the distro and the 2 other files (sha256sum.txt and sha256sum.txt.gpg). I am successful with the autheticity check but the Integrity check fails (see below):

Code: Select all

c:\Users\Phil\Downloads\ISO>CertUtil -hashfile linuxmint-19.2-cinnamon-64bit.iso SHA256
CertUtil: -hashfile command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
Here are the contents of the directory containing

Code: Select all

c:\Users\Phil\Downloads\ISO>dir /o/aa
 Volume in drive C has no label.
 Volume Serial Number is 0EC5-7FF1

 Directory of c:\Users\Phil\Downloads\ISO

12/08/2019  14:16     2,009,333,760 linuxmint-19.2-cinnamon-64bit.iso
12/08/2019  20:54               584 sha256sum.txt
12/08/2019  20:55               833 sha256sum.txt.gpg
               3 File(s)  2,009,335,177 bytes
               0 Dir(s)  545,105,268,736 bytes free
The error code suggests to me that one of the files is not where it expected to be but I am no expert.

I knew I was going to find this moving to linux a challenging process but am having a chuckle that my first roadblock is at the very beginning!

TIA for any help.
Phil

[Edit] I've managed to solve the problem by putting the full pathname of the iso file. The modified command is:

Code: Select all

CertUtil -hashfile c:\Users\Phil\Downloads\linuxmint-19.2-cinnamon-64bit.iso SHA256
I don't know how any times in the past I've had to do this and kicking myself I didn't spot it straight away!

Although it doesn't affect my situation, if there are any spaces in your file/pathname I suggest you enclose it in quotes seeing you are working in the windows universe. Hope this helps :)
Phil

Linux Mint 21.3
Cinnamon 6.0.4
User avatar
Daisuke
Level 3
Level 3
Posts: 179
Joined: Fri Jun 21, 2019 6:29 pm
Location: San Diego CA

Re: How to verify the ISO image on Windows

Post by Daisuke »

The directions tell us to right click on the link and choose "Save As...". This was not an option on the right click menu in my Firefox browser running on Windows 8.1.

Since "open link in a new tab" was a right-click option, I tried this. For the file sha256sum.txt.gpg a dialog box popped up allowing me to save the file directly.

BUT, for the file sha256sum.txt, this dialog did not pop up. Instead the text of the file was displayed in the new tab. Probably because the browser was able to display a .txt file! (This is what browsers normally do when they can!) So I saved this text into a binary editor and created my own file. BIG MISTAKE! Probably because using ctrl-C to copy the text must have captured different white space. Therefore, gpg failed to authenticate.

I posted a question about this in the newbie forum and rene pinpointed the issue. She noted that a common error was not actually downloading the file itself. So the problem then became one of figuring out how to download the file. I found this helpful idea here https://superuser.com/questions/25538/h ... et-or-curl among several others which did not work.

The certutil command has a download capability which solved the problem. Here is how I used it.

certutil.exe -urlcache -split -f "https://mirrors.evowise.com/linuxmint/s ... 256sum.txt" sha256sum.txt

This command works equally well in a cmd shell and in the PowerShell. Once the file was properly downloaded, I was able to successfully complete the Authenticity Check.

Thanks for a really great tutorial gm10!
gm10

Re: How to verify the ISO image on Windows

Post by gm10 »

Daisuke wrote: Tue Aug 20, 2019 2:47 pm The directions tell us to right click on the link and choose "Save As...". This was not an option on the right click menu in my Firefox browser running on Windows 8.1.
It also says that the exact wording depends on your browser. Here is a screenshot of the current version of Firefox on Windows, I marked the applicable option for you:

Image
Daisuke wrote: Tue Aug 20, 2019 2:47 pm Thanks for a really great tutorial gm10!
That's kind of you to say so, you are very welcome.
User avatar
Daisuke
Level 3
Level 3
Posts: 179
Joined: Fri Jun 21, 2019 6:29 pm
Location: San Diego CA

Re: How to verify the ISO image on Windows

Post by Daisuke »

I guess my confusion was around the idea of saving a link. I have been thinking too literally I guess (for many years!), i.e. saving a link meant the link string and not the contents of the link in a file. I just tried "Saving Link As" and voilà! the contents of the file pointed to by the link was saved in a file of the same name. Like magic - a nice thing to know going forward and in other situations!

Thank you for posting a helpful and informative reply!
User avatar
JoeFootball
Level 13
Level 13
Posts: 4674
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: How to verify the ISO image on Windows

Post by JoeFootball »

alza68 wrote: Fri Aug 23, 2019 10:29 am Would be immensely obliged and appreciated if you could point the tool for evaluating the authenticity of the .iso image for win XP as the command line provided by the help section of linux community does lack several vital and pertinent information for new users.
As requested, posting this article for Windows XP users, as CertUtil does not appear to be native to that OS.

Joe
oldProgrammer

Re: How to verify the ISO image on Windows

Post by oldProgrammer »

I sought out Linux Mint with replacing Vista on our machine in mind. Well, the flag SHA256 in this command
CertUtil -hashfile filename.iso SHA256
is not found in the Vista CertUtil. I used that on Windows 8.1 to get the right answer. Doubtless the program in the XP instructions, too, would have worked.
Locked

Return to “Tutorials”