[SOLVED] ISO downloads from 2 mirrors fail verification [SOLVED]

[Daisuke]

I am using a Windows 8.1 system to create a bootable USB drive of Linux Mint (Cinnamon) 19.2 64 bit.
I tried to verify and authenticate the download but the process failed on both mirrors I tried.
The process I used is below. If anyone with knowledge about this process can point out my mistake or possibly determine if there is something wrong with the data on these mirrors, that would be great. Thank you.

I downloaded linuxmint-19.2-cinnamon-64bit.iso from here:
https://linuxmint.com/edition.php?id=267. The two mirrors I used were
Canada Manitoba Unix Users Group
Austria UPC Austria

I followed the verification instructions provided here:
viewtopic.php?f=42&t=291093

The integrity check worked fine on both. Here is the output:
C:\Linux\ISO>CertUtil -hashfile linuxmint-19.2-cinnamon-64bit.iso SHA256
SHA256 hash of file linuxmint-19.2-cinnamon-64bit.iso:
a0 5a 06 b7 9f f1 2a 74 7a 18 7a a9 a8 7c 5b a1 f7 e0 c1 81 4c da 71 45 56 60 39
01 e2 00 15 12
CertUtil: -hashfile command completed successfully.

C:\Linux\ISO>find "a05a06b79ff12a747a187aa9a87c5ba1f7e0c1814cda714556603901e2001512" sha256sum.txt
---------- SHA256SUM.TXT
a05a06b79ff12a747a187aa9a87c5ba1f7e0c1814cda714556603901e2001512 *linuxmint-19.2-cinnamon-64bit.iso

However, the integrity check failed on both. They failed in the same way.
Here is the output of the commands:
C:\Linux\ISO>"C:\Program Files (x86)\gnupg\bin\gpg" --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: C:/Users/daisuke/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
gpg: Total number processed: 1
gpg: imported: 1

C:\Linux\ISO>"C:\Program Files (x86)\gnupg\bin\gpg" --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 07/29/19 09:43:47 Pacific Daylight Time
gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

[Daisuke]

Sorry, that should say the AUTHENTICITY check failed on both.

[pbear]

Perhaps it will help to see an example of how it's supposed to look.

Code: Select all

PS C:\Users\pbear\Downloads\Linux> CertUtil -hashfile linuxmint-19.2-cinnamon-64bit.iso SHA256
SHA256 hash of linuxmint-19.2-cinnamon-64bit.iso:
a05a06b79ff12a747a187aa9a87c5ba1f7e0c1814cda714556603901e2001512
CertUtil: -hashfile command completed successfully.
PS C:\Users\pbear\Downloads\Linux> gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: keybox 'C:/Users/pbear/AppData/Roaming/gnupg/pubring.kbx' created
gpg: C:/Users/pbear/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
PS C:\Users\pbear\Downloads\Linux> gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 07/29/19 09:43:47 Pacific Daylight Time
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
PS C:\Users\pbear\Downloads\Linux>

One thing I notice is that you have a couple of spurious quote marks in the gpg command.

[Daisuke]

I think you are referring to this part of the command:
"C:\Program Files (x86)\gnupg\bin\gpg"

I am executing the command in a Windows "cmd" shell and the path to an executable cannot have any spaces.
This is where the installer put the gpg installation directory. The command seems to be running properly, but the file does not authenticate.

Could you please tell me which mirror you downloaded from?

Thank you!

[Daisuke]

I should add it can have spaces if the entire command string is enclosed in quotes. Not sure about single quotes.

[polarvortex]

The instructions don't say to write the full path. When gpg is installed it gets added to the Windows PATH.

To help with troubleshooting, first try following the instructions exactly

[pbear]

What polarvortex said. Ironically, I've never used gm10's tutorial before, as I now authenticate in Mint. I got it right (as have many others) because I followed the instructions exactly and didn't try to be smarter than he is.

Could you please tell me which mirror you downloaded from?

Irrelevant for part two of the process, which authenticates the checksum file, not the ISO. Both the checksum and GPG files come directly from Mint. Notably, both your ISOs passed the checksum (download integrity) test. Where you went sideways was confirming the checksum file.

[rene]

The problem we usually see is concerning how the sha256.sum.txt and/or sha256sum.txt.gpg files were downloaded. I.e., make sure to actually download them (right-click the URL, save as...) and not open them in a browser and then save that page or something alike; this causes whitespace differences and has GPG therefore correctly tell you that the sha256sum files are not original.

[Daisuke]

Rene - Thank you!
When I right-clicked on the links to sha256sum.txt and sha256sum.txt.gpg, I was not given an option to save the file. Instead I tried to open a link to each. In the case of the file sha256sum.txt.gpg, a dialog box popped up giving me the option to either open or save the file. So I saved it. But in the case of the file sha256sum.txt, it simply listed the content in the browser. I copied this text into a binary editor and saved it. But clearly this did not work.

With some digging, I discovered a handy feature of certutil. It will download files from the web like this:
C:\Linux> certutil.exe -urlcache -split -f "https://mirrors.evowise.com/linuxmint/s ... 256sum.txt" sha256sum.txt
**** Online ****
0000 ...
0248
CertUtil: -URLCache command completed successfully.

Once I correctly downloaded this file, the authentication worked.

C:\Linux\ISO>"C:\Program Files (x86)\gnupg\bin\gpg" --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: key 300F846BA25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

C:\Linux\ISO>"C:\Program Files (x86)\gnupg\bin\gpg" --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made 07/29/19 09:43:47 Pacific Daylight Time
gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09

I inspected the source for the links to the files and found no differences. I suspect the browser used the file extension ".txt" to display the contents rather than provide a download option.

I will add a comment on the tutorial page in case anyone else had this problem.
Once again, sincere thanks Rene!

[Daisuke]

To polarvortex. I do not think it is very nice to imply that I was deliberately not following directions exactly.
As anyone following a tutorial knows, systems vary, and sometimes the instructions provided do not lead to identical results as was the case here.
A right click in the browser did not provide the ability to download both files. Please read my solution above.

To pbear. I agree that gm10's tutorial is very well written, clear and helpful. However, the 5 pages of comments following the tutorial indicated that there were many people who had some small problem along the way, many for the reason I suggested above: systems differ.
I think your snide comment that I was trying " to be smarter than he is" is unhelpful. First of all, do you know that gm10 is a "he"! Second of all, intelligence is not an issue here. gm10 knows much more than I do about how to verify and validate a downloaded ISO. That is why I was following the excellent tutorial s/he provided. This is just the kind of snide remark one should not make in a newbie forum. It discourages people who are trying to learn by posting a question. However, thank you for pointing out that GPG authenticates the checksum file itself and is unrelated to the ISO file itself.

Finally, using a fully qualified path to a command in no way invalidates the command or affects its execution. I did this because after installation, my cmd shell could not find GPG. In hindsight, I see this was due to the fact that it was opened before the install finished, and therefore did not have the updated PATH env var which the install modified. CMD loads its env vars at start up and does not check again. You can see that the command ran successfully and found errors. But the fully qualified path was not the cause of the errors. Perhaps it is you who thinks you are smarter than I am and that is why you felt free to make your derogatory remark.

[pbear]

Am I allowed to respond in kind? Or will you take exception to that also?

Actually, I won't out of deference to the the mods. But point out you're using a double standard.

Have a nice day.

[polarvortex]

To polarvortex. I do not think it is very nice to imply that I was deliberately not following directions exactly.
As anyone following a tutorial knows, systems vary, and sometimes the instructions provided do not lead to identical results as was the case here.
A right click in the browser did not provide the ability to download both files. Please read my solution above.

Meanwhile, I think it is very nice for me to take time to reply to your thread and try to help you.

I had no opinion on whether you were deliberately not following the directions exactly, I only observed that you were not. That always makes me suspect that the person might have done other steps slightly differently too. Hence my sincere advice to first follow the tutorial exactly.

And my suspicion turned out to be correct, as doing the save file step incorrectly was the cause of your problem. It's impossible to troubleshoot when one deviates from the tutorial, because the deviations can potentially introduce random unknown problems.

Finally, using a fully qualified path to a command ... was not the cause of the errors.

Yeah. Generally speaking using a full path should not negatively affect the command. But then again, who knows? Maybe gpg is weird and there's some minor odd issue in windows 8. The point is, you need a 1:1 comparison with the tutorial to determine if there is a problem with the tutorial or a problem with the way it's being followed.

This is all ironic, because I have actually been working on a tutorial based on gm10's, called "How to verify the ISO image on Windows for dummies" in which I specifically show the different right-click menu items to save as or save link as, in edge, firefox, chrome, ...

Now please don't take that the wrong way and feel that I am implying you are a dummy

[Daisuke]

Rene - Thank you!
When I right-clicked on the links to sha256sum.txt and sha256sum.txt.gpg, I was not given an option to save the file. Instead I tried to open a link to each. In the case of the file sha256sum.txt.gpg, a dialog box popped up giving me the option to either open or save the file. So I saved it. But in the case of the file sha256sum.txt, it simply listed the content in the browser. I copied this text into a binary editor and saved it.

When I posted my certutil solution directly to the tutorial by gw10, gw10 replied by pointing out that "Save Link As..." works in a way similar to "Save As..." for a file by simply downloading the contents of the file (whether .txt, .pdf or .htm, etc.) to a file instead of displaying it in a browser. I have to confess that I thought "Save Link As" meant simply to save the link (i.e. the URL) in a file and had never bothered to test it out!

So this is a much easier solution to download sha256sum.txt directly to a file.

[Daisuke]

Meanwhile, I think it is very nice for me to take time to reply to your thread and try to help you.
...
Yeah. Generally speaking using a full path should not negatively affect the command. But then again, who knows?

I am ever so grateful that you tried to help. I am just so sorry that you were upset when I politely and tactfully pointed out that your shot-in-the-dark solution was actually orthogonal to the problem. I did this in case anyone else read this thread and thought there was something wrong with using a quoted path in a cmd shell, not to strike a nerve with you and pbear who seemed to have a similar idea about the cause of the failure to authenticate the checksum file. I had no idea that this would set off such a controversy.

This is all ironic, because I have actually been working on a tutorial based on gm10's, called "How to verify the ISO image on Windows for dummies" in which I specifically show the different right-click menu items to save as or save link as, in edge, firefox, chrome, ...

Now please don't take that the wrong way and feel that I am implying you are a dummy

If only you had used your recent experience with gm10's tutorial related to how to download the key files, you would have been the hero of this thread!

I wish you well in completing your derivative tutorial since it will certainly save dummies like me a lot of time once you get it posted. Please be sure to add a comment back to this thread with a link once it is completed as I am sure it will be an invaluable aid to anyone else who is as dumb as me when it comes to downloading files from a browser. I bet that never happened to you!

You are fortunate to have such a wonderful sense of humor and a very clever way with words. Subtle sarcasm and witty repartee is so inspiring in a newbie forum.

[polarvortex]

I am just so sorry that you were upset when I politely and tactfully pointed out that your shot-in-the-dark solution was actually orthogonal to the problem.

I realize I am being trolled, but unlike pbear I can't help myself.

I'm not sure where you are getting that I was "upset"? Everything I wrote is to be taken at face value. My posts were written from a purely logical standpoint without any snark. The fact that you seem to have perceived otherwise is unfortunate. Go back and read them now in their intended positive tone, and maybe you will see.

If only you had used your recent experience with gm10's tutorial related to how to download the key files, you would have been the hero of this thread!

Step one in troubleshooting problems with following a tutorial is ensuring that the person is following the steps in the tutorial as intended. You pasted output that shows you were not following the tutorial exactly, which begs the question What other steps might you not be following exactly. Therefore, the first logical step in supporting you is to get you to follow the tutorial exactly.

It is not a shot in the dark solution. It's not even really a solution. It's advice on how you and the forum posters can get you to a solution. Were no one else to post, then you could follow my advice and either follow the tutorial exactly, or perhaps you would go back and think twice about how you might have done some steps a bit differently, and then post telling us which steps you did a bit differently and why. Then we would immediately have our answer that your deviation from the tutorial with opening the txt file in the browser instead of saving it was the cause of the problem.

That was a detail your original post didn't include, and that following the advice in my post would likely reveal. So rather than being "orthogonal", my post was actually dead on.

I wish you well in completing your derivative tutorial since it will certainly save dummies like me a lot of time once you get it posted. Please be sure to add a comment back to this thread with a link once it is completed as I am sure it will be an invaluable aid to anyone else who is as dumb as me when it comes to downloading files from a browser. I bet that never happened to you!

You are fortunate to have such a wonderful sense of humor and a very clever way with words. Subtle sarcasm and witty repartee is so inspiring in a newbie forum.

Some might say that gm10's tutorial is derivative of my earlier tutorial "How to verify a Linux Mint 18 ISO image on Windows", the first ever written to cover the specific subject completely.
(Of course, those people just don't realize that he probably never read it ) It's all good, that's what FOSS is about.

I wasn't employing my sense of humor or using sarcasm in those 2 posts, although I am a bit in this one. Every word I wrote was entirely literal. I don't think you are dumb. The fact that you went and found that certutil method was cool. My wip tutorial title is a reference to the popular "for dummies" computer self help books. And I picked that title because my tutorial will go into certain excessive details, like those books do, whereas gm10's aims to be more concise.

What doesn't inspire me to take the time to finish that tutorial, or help people on here, is when people reply the way you have in a couple of your posts.

Anyhow, clearly I am not as wise as pbear.

[Daisuke]

my earlier tutorial "How to verify a Linux Mint 18 ISO image on Windows", the first ever written to cover the specific subject completely.

I found your tutorial here viewtopic.php?t=229292 and read it through a couple of times.
It is very detailed and takes the rational approach of first authenticating the sha256sum.txt file before verifying the integrity of the ISO download.
Clearly many appreciative people followed your tutorial and met with success as the many comments thanking you attest. Writing a good tutorial is time consuming and clearly you are good at it. I thought I would include the link here as it is a different approach, especially since downloading the critical files by ftp would avoid all the issues I encountered. In fact, this approach could be used in conjunction with either your new tutorial or gm10's.

So rather than being "orthogonal", my post was actually dead on.

Here is the nub of our differing points of view. While your concern was that I follow the tutorial exactly, which is certainly a valid issue, my concern was that your advice actually contained an incorrect statement regarding the use of a fully qualified path in a cmd shell on Windows. Using the fully qualified path of the gpg command was more generic than the one in the tutorial even if the PATH variable had changed since the install, which it sometimes does over time. It also worked in my case where I was using a shell opened before the install modified the PATH variable.

Anyhow, clearly I am not as wise as pbear.

Wisdom is in the eye of the beholder and well meaning people can have a range of opinions on any subject.

What doesn't inspire me to take the time to finish that tutorial, or help people on here, is when people reply the way you have in a couple of your posts.

I truly apologize if anything I wrote distracts you from completing your tutorial "How to verify the ISO image on Windows for dummies" because it would contain the key step which causes problems for most people, myself included - how to download an exact binary copy of a file in a browser instead of displaying the file. I would have benefited from the added information you plan to include and then this entire thread would be moot! Every undertaking is a series of derivative steps, each one building on the work of someone else. But not everyone has the knowledge to write a good tutorial or the equally important motivation to help other people. So I do hope you will not let my comments interfere with your work.

I wish you well.

[gm10]

especially since downloading the critical files by ftp would avoid all the issues I encountered.

Just because there's the letters ftp in the mirror link in his tutorial does not mean that it uses the ftp protocol. And even should you find an ftp mirror, then know that all major browsers are removing ftp support.

Anyway, while I still think it is much ado about nothing, I amended that paragraph in my tutorial as follows now (addition bolded) so hopefully the matter can be laid to rest:

1. First follow the steps in the "Preparation" section of https://linuxmint.com/verify.php for the version you downloaded. It is essential that at step 3 you follow the instruction to right click the links and select to Save as...(exact wording varies depending on your browser, e.g. Save Link As... in Chrome and Firefox). Left clicking the files and saving the contents in other ways will lead to authentication failure.

I still don't really understand why the previous "Save as.. (exact wording varies depending on your browser)" was ever a problem when there is only one "Save"-type option in your right-click menu but be that as it may. Not going to add the exact wording of every browser out there though.

[polarvortex]

I found your tutorial ...

For anyone else reading this, keep in mind that my old tutorial is just that - old. Old and busted. I found out later that it contains one small potential error with not handling a certain rare failure in the software. I am guessing that caused a tiny percentage of people to think they had authenticated the ISO when they hadn't. I didn't feel the need to fix it or remove it at that point, because it says version 18 in the title, and because it got unstickied and locked, and xenopeek replied to it directing people towards current documentation.

Here is the nub of our differing points of view. While your concern was that I follow the tutorial exactly, which is certainly a valid issue, my concern was that your advice actually contained an incorrect statement regarding the use of a fully qualified path in a cmd shell on Windows.

I appreciate that we are getting along now, but I feel I must say that no it didn't. All I said was that the instructions don't say to write the full path - and indeed they don't.

However, what I am gathering is that our different point of view is that you feel that typing in a slightly different string for a command, that you know or believe does the exact same thing as the string in a tutorial, is following a tutorial exactly. While I feel that following a tutorial literally exactly is following a tutorial exactly. So that when I claimed you were not following the tutorial exactly, you felt that was an incorrect statement. Fair enough. And I think we are on the same page now.

"Left clicking the files and saving the contents in other ways will lead to authentication failure."

If it really already said that then yes this is much ado about nothing. But I do think your new edit is helpful.

[pbear]

I still don't really understand why the previous "Save as.. (exact wording varies depending on your browser)" was ever a problem when there is only one "Save"-type option in your right-click menu but be that as it may. Not going to add the exact wording of every browser out there though.

I've never understood it either, but this has come up many times in the 2+ years I've been on the Forum. OTOH, obviously, all you can do is explain. At some point the user has to take responsibility for "This isn't working, I wonder what I'm getting wrong?"

[gm10]

I've never understood it either, but this has come up many times in the 2+ years I've been on the Forum. OTOH, obviously, all you can do is explain. At some point the user has to take responsibility for "This isn't working, I wonder what I'm getting wrong?"

To be fair, originally the verify.php page made no mention at all of having to right-click > Save as, and the Windows instructions consisted of downloading and installing cygwin, so I can understand why Windows users felt a bit helpless back then. It's for that reason that I created my guide and had Clem reword the page and link to that (plus add the Save As and a few other clarifications).

I'm perfectly with smoothing over parts of the tutorial that continue to be unclear to users but in my opinion you have to be careful not to add too much content or people will just skip over it. You can say it's their responsibility and you would be correct but it's still us that end up answering the support threads so best try to prevent that as best we can. You and I both know we'll never prevent all of it.