[SOLVED] Cannot verify authenticity of 21.1

[Kunkle]

Hello.

Currently using 20.2 Cinammon, and deciding to change to 21.1 Mate.

I downloaded 21.1 Mate iso, the sha256sum.txt, and the sha256sum.txt.gpg file, all to my downloads folder, and all from linuxmint.com. I then followed the steps here https://linuxmint-installation-guide.re ... erify.html

The integrity check was fine and straightforward.

When I tried to verify the authenticity I followed the steps exactly on that page, but when I tried gpg --verify sha256sum.txt.gpg sha256sum.txt it came back with this:

So I investigated, and a thread on here advises to right click on the iso file, and there should be a "verify" option with GUI. There isn't on my iso file. All I have is an option to "check SHa256" which, as far as I can tell, is for the integrity check.

I'm a relative beginner with Linux, and I've had this problem with installs before, and ended up just ignoring it. But I don't want to do that this time, I want to be more sure it's authentic. Can anybody please help me with verifying the authenticity?

Thanks in advance.

[rene]

You are in your home-directory ~ and not in your downloads directory ~/Downloads. I.e., cd ~/Downloads if indeed that is where you downloaded it all to.

[Kunkle]

You are in your home-directory ~ and not in your downloads directory ~/Downloads. I.e., cd ~/Downloads if indeed that is where you downloaded it all to.

I don't quite understand what you mean. Do you mean I should download them to my home directory?

EDIT: stupid me..... I got it now.

[Kunkle]

Just to double check, should I be concerend about the warning here?

[rene]

No, that is fine and is what the https://linuxmint-installation-guide.re ... erify.html page talks about where it says

Note

GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.

The thing it's saying with that "Good signature from" part is that indeed the checksums.txt file was signed (in the checksums.txt.gpg file) by the "Linux Mint ISO Signing Key" as you obtained from the keyserver. What it's saying with that warning is just that you haven't told it that said key could in fact be trusted -- but given that displayed fingerprint which you can also verify on that linked page, it can, and while you could forego the warning by signing the key itself with e.g. your own private key, you shouldn't. It's after all right, and has you think about how/where you obtained the key (which as said in this case is all fine).

[Kunkle]

Brilliant, thanks for your replies. Much appreciated.

I note the wording of the warning in terminal, and the wording on the link were a little different, so just wanted to double check.

[rene]

Yah. I'd agree that it were better if the Linux Mint page pasted that literal GPG wording.