How to check sha256sum of an ISO image (NOVICE WAY)

[slipstick]

Hi "wanderous",

Here is another console terminal command you can run that will "ignore any missing files", so that you do not get any "failed error" messages.

sha256sum --check --ignore-missing sha256sum.txt

Code: Select all

sha256sum --check --ignore-missing sha256sum.txt

Hope this helps ...

That option is not recognized by my system - I get this error message:

Code: Select all

sha256sum: unrecognized option '--ignore-missing'

I see from your signature that you are using LM17.3 KDE - I'm using 17.3 Cinnamon with bash version 4.3.11(1)-release (x86_64-pc-linux-gnu) - maybe you have a different bash version?

EDIT: I see that this is part of Gnu Coreutils and it seems I have version 8.21 released in Feb. 2013 and support for the "--ignore-missing" option wasn't added until ver. 8.25 released in Jan., 2016.

[akstrachan]

I've had 7-zip installed for many years on Windows 7 x64 and is on the current version.
The right-click option wasn't there.
The solution was to start 7-zip, check the menu > Options and see that the option needed to be enabled.
Once I did that, the right-click option became available.

[prestonR]

In Windows, use the built-in CertUtil tool from command line, 'start' => 'run':

Code: Select all

CertUtil -hashfile C:\Desktop\linux_mint.iso SHA256

or

Code: Select all

CertUtil -hashfile C:\Desktop\linux_mint.iso MD5

[Spiderspoon]

WINDOWS OS
In windows OS following this instructions:

1-Download and install the application HashTab
2-Open the directory where you downloaded the ISO image (usually the Download folder),
3-Right click on the downloaded ISO image and select Properties from the menu and check the file hashes tab
4- Cancel the hashing in progress and open setting option and check SHA-256, uncheck other options, let the system calculate again the hash
5-Open the sha256sums.txt file address to check the sum of the sha256sum of downloaded image
https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt
6- Highlight and copy the corresponding ISO image sha256sum, past in the Hash comparison space
7-The system compares immediately and warns if they match or not.

Done

Some comments. I am using Windows 10. I expected to find a program called HashTab. After a couple of goes I noticed the instructions which popped up in the default browser. So I found the File Hashes tab in properties, which now appears to become a part of properties for all files.
4. Cancel the hashing in progress to the right of the advancing green bar. It took me ages to find Settings, as I was looking in the wrong places. Settings is in blue, just above Hash Comparison. Ensure only SHA-256 is checked, unchecking all other options. It is probably quicker to click on Select None, and then check SHA-256. Click OK and Hashing Progress will proceed. It will then read Hash Comparison and the Hash Value will appear in the box. It will give a green tick next to SHA-256. It is not finished yet. The green tick at this point does not mean success. You now have to compare this Hash Value with the relevant value in the sha256sum.txt file. Highlight and delete the value in the Hash Comparison box, as this is a copy of the Hash Value above. This box needs to be empty before proceeding.
6. Open the sha256sum.txt file and highlight the relevant Hash Value. This file contains a few hash values. Look for the one which matches the iso you have downloaded. Copy this highlighted section and paste it into the Hash Comparison box. If identical, you will get the green tick.

What I did was to make a copy of the sha256sum.txt with only the relevant hash value remaining. I deleted the rest. That way, when I repeated the test, it was easier. Also, having selected SHA-256 in Settings once, it remains the only one there. But you still have to Cancel the initial hashing. Clicking on Compare a file gave a red cross, even with the amended file. So I don't know what that is doing. I guess HashTab is written by someone else who uses that for some other purpose.

I've written all these words as I got it wrong the first time I did it and it took a few goes to figure it out. Once I did it correctly, it's simple. It doesn't need to be done often, only when you download a new iso.

Thanks.

[slipstick]

It doesn't need to be done often, only when you download a new iso.

Once you can verify your new downloaded .iso file in Linux, it's even easier. Here is a script file which I have modified a little from one posted a couple of years ago on this forum by forum member "austin.texas". You can keep this script in a convenient location, for example in /home/username/bin. Then download your new iso file to the ~/Downloads folder and copy this script to that folder and execute the script with the .iso name as the parameter:

Code: Select all

#!/bin/bash

# Save this file in the ~/bin folder (or other convenient locations) as LM_iso_verify.sh
# When you want to check the integrity of the downloaded LMxx.x .iso file:
#
# Download or move your Mint xx.x.iso file to your Downloads folder.
# Move this sumLM18.sh file to the Downloads folder
#  and make sure it is marked as executable.  (Or if you keep it in /home/<your user name>/bin,
#  then it is should already be on the PATH, and you don't need to move it.)
#
# Open a terminal window and cd to ~/Downloads, then
# run the script with "./LM_iso_verify.sh  Mint-xx.x-correct-filename.iso"
# EXAMPLE:   ./LM_iso_verify.sh  linuxmint-18.3-cinnamon-64bit.iso
# or if the script is in /home/bin or otherwise on the PATH, then
# EXAMPLE:     LM_iso_verify.sh  linuxmint-18.3-cinnamon-64bit.iso



# Check for one parameter on the command line (the .iso file name)
if [ $# -ne 1 ]; then
	echo "Usage: $(basename "$0") linuxmint-xx.x-correct-filename.iso"
	exit 1
fi

# Check if that file exists in the working directory and is readable
if [ ! -r "$1" ]; then
	echo "File $1 does not exist or is not readable"
	exit 1
fi

# Importing the signing key (LM18 and higher)
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"



# This is for LM18.3 versions - modify these wget lines as needed for other versions
# Download the Mint 18.3 sha256 sum txt files

# If heanet.ie site isn't working, comment out these two lines and uncomment the wget lines for the alternate site
#    or use another alternate of your choice.
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt
wget https://ftp.heanet.ie/mirrors/linuxmint.com/stable/18.3/sha256sum.txt.gpg

# University of Oklahoma mirror - an alternate site if above heanet.ie isn't working
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt
#wget http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt.gpg




# Verify the signature on the sha256 sum text file
gpg --verify sha256sum.txt.gpg sha256sum.txt
echo "It should report that the signature is Good, $USER."
echo "You can ignore any warning about ...not certified..."
echo "..."

# compare the sha256 sum of your ISO image and the original Mint sha256 sum
echo "Calculating the sha256 sum for $1 and comparing it to the downloaded signed sha256 sum"
echo "Be patient, $USER. I am not that good at math"
echo "..."

sha256sum --check --ignore-missing sha256sum.txt


echo "Done."

The output looks like this:

Code: Select all

steve@steve-Z97X ~ $ cd ~/Downloads
steve@steve-Z97X ~/Downloads $ ./LM_iso_verify.sh linuxmint-18.3-cinnamon-64bit.iso
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
--2018-04-14 23:48:35--  http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt
Resolving reflection.oss.ou.edu (reflection.oss.ou.edu)... 129.15.2.43
Connecting to reflection.oss.ou.edu (reflection.oss.ou.edu)|129.15.2.43|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 774 [text/plain]
Saving to: ‘sha256sum.txt’

sha256sum.txt                 100%[=================================================>]     774  --.-KB/s    in 0s      

2018-04-14 23:48:35 (257 MB/s) - ‘sha256sum.txt’ saved [774/774]

--2018-04-14 23:48:35--  http://reflection.oss.ou.edu/linuxmint/isos/linuxmint.com/stable/18.3/sha256sum.txt.gpg
Resolving reflection.oss.ou.edu (reflection.oss.ou.edu)... 129.15.2.43
Connecting to reflection.oss.ou.edu (reflection.oss.ou.edu)|129.15.2.43|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819 [text/plain]
Saving to: ‘sha256sum.txt.gpg’

sha256sum.txt.gpg             100%[=================================================>]     819  --.-KB/s    in 0s      

2018-04-14 23:48:35 (257 MB/s) - ‘sha256sum.txt.gpg’ saved [819/819]

gpg: Signature made Wed 13 Dec 2017 10:16:15 AM CST using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
It should report that the signature is Good, steve.
You can ignore any warning about ...not certified...
...
Calculating the sha256 sum for linuxmint-18.3-cinnamon-64bit.iso and comparing it to the downloaded signed sha256 sum
Be patient, steve. I am not that good at math
...
linuxmint-18.3-cinnamon-64bit.iso: OK
Done.
steve@steve-Z97X ~/Downloads $ 

And that's all you have to do to verify.

Notes: Read the instructions in the script - you will need to modify the wget commands for the particular .iso file version. Also, in this file which originally used the heanet mirror, I changed that to another mirror conveniently located near me - if the heanet site ever gets fixed (permission problem of some kind), you may want to change it back, or use another mirror located near you.

EDIT: edited script file comments to say that you don't have to move the script file to the Downloads folder if it is on the PATH. If you keep it in ~/bin, that directory is on the PATH.
EDIT#2: changed script back to use heanet site which is now working again. I left the OU site in as an alternate.

[Tarq]

The Linux Mint files are now safe to download and use, or to install from. So, you do not need to go through the verification steps, unless you want to.

This member mentioned that checking the system image is sometimes unnecessary. It is mostly safe while I think this is completely wrong. I downloaded a fake system image and patched it. Please be careful while providing information, with evidence and not just an allegation

[karlchen]

Hello, Tarek Sultan.

You are perfectly right in stating that it is unsafe not to verify an ISO image file after downloading it. .
If you read this tutorial thread from top to bottom again, you will notice that right below jungle boy's initial post (his tutorial), forums admin xenopeek had clearly stated:

Note: this tutorial foregoes verifying that the checksum file itself originates from Linux Mint. The official instructions at https://linuxmint.com/verify.php include that step.

I.e. the offical Linux Mint installation instructions clearly tell to do both checks:
+ to verify the downloaded ISO image (integritiy check)
+ to verify that the given sha256 checksum is genuine (authenticity check)

Karl

[Tarq]

I believe that an image file can be verified and authenticated, while a text file cannot be verified, which I consider to be an exploitable security vulnerability that could pose a real cyber risk to users. I do not see the special verification steps in the Windows system in the guidance?