Authenticating ISO most difficult computer issue ever.

[DECH]

Using a Lenovo 100S 11BY with 2gb RAM; Intel Atom processor and 32bit. Thought I'd spend 20mins getting a Linux OS on a USB drive to see if the device went faster etc. Used the https://linuxmint-installation-guide.re ... en/latest/ for LMDE 6 Faye. One glance at the instructions for verifying/authenticating and I thought it better to make a bootable drive first rather than probably become dispirited - not because the task was likely very complex but the likelihood that the instructions would be very inadequate and presume all sorts of prerequisite knowledge or linking it without mentioning it to some previous step done a day earlier. Hours later and using Rufus (Balensa produced blank page only) it appears that I have an ISO (or whatever on the USB drive) there seems to be no indication of any hope that it can be used to boot but that's another issue. I saw a comment by a veteran who opined that probably 50% of those who attempt to load Linux give up at the authentication hurdle; others say that most just don't bother (or presumably give up on that element).

I thought just to be prudent I'd try; after numerous attempts I managed the Verify part but my heart sank when I read this as the guidance for authentication: "Import the Linux Mint signing key:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09" i.e. what does "import" mean; do I need to spend another hour researching its IT meaning(s). There was a link to how to do it on Windows but it didn't advise what failure to authenticate looked like and there was ambiguity eg did all or most or some of the numerous downloads need to be in the same folder for any of this to work? (prompted by this: "If it's failing on all of those, then as a workaround you can manually download the key from this link with your web browser, save the page to a file in the same folder as everything else...."
Another question was: If the command line failed was it necessary to type in "cmd" prior to each new attempt? Some command lines (or all for all I know) seem to have a space after the line already present. So we have numerous possible combinations.

I've been going through some of it again while composing this and it gets worse; here is the guidance for success: "As long as it says Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" and with a fingerprint matching the one shown above and that you used to download the key, then that means your download is authentic. In case it was tampered with the message would be BAD signature from ...." This is as close as I managed: "C:\Users\decha\OneDrive\Desktop\GnuPG> gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Maybe this is a success; apparently not but with nothing including a "fingerprint" there was only one more option given (having tried the three command line possibilities provided). "If it's failing on all of those, then as a workaround you can manually download the key fromthis link"
There is no link. I trust that any questions are implicit in the above.

[george7-cal]

I think you have to compare codes or signatures with these provided for two small files on download page.

Here are my codes for testing an ISO image and I accepted that as OK:

Code: Select all

george@george-desktop:~/Downloads$ sha256sum -b linuxmint-21.1-xfce-64bit.iso
6fea221b5b0272d55de57f3d31498cdf76682f414e60d28131dc428e719efa8b *linuxmint-21.1-xfce-64bit.iso
george@george-desktop:~/Downloads$ gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"
gpg: key 300F846BA25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
george@george-desktop:~/Downloads$ gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key A25BAE09
gpg: key 6ABA455AA25BAE09: public key "Totally Legit Signing Key <mallory@example.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
george@george-desktop:~/Downloads$ gpg --list-key --with-fingerprint A25BAE09
pub   rsa4096 2016-06-07 [SC]
      27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
uid           [ unknown] Linux Mint ISO Signing Key <root@linuxmint.com>

pub   rsa1024 2014-01-26 [C]
      1828 C98D 1C52 E20C 95DF  B632 6ABA 455A A25B AE09
uid           [ unknown] Totally Legit Signing Key <mallory@example.org>

george@george-desktop:~/Downloads$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Sun 18 Dec 2022 05:54:36 AM MST
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
george@george-desktop:~/Downloads$ 

Good luck!

[MiZoG]

Checking the authenticity and integrity of an installation iso is nice. It is "best practice". Commendable.
You want to do that. You don't want to lose your sleep over that.
So skip it for now or just only do the integrity check that is easier on Windows.
Or forget about doing this on Windows altogether.
You can check the very same iso you wrote into your installation media while on the very same live Mint session you want to initiate
provided that you have stored the original iso and checksums in an external drive.
It is much easier on Linux Mint, double-click on the iso and select "Verify".
In the end, don't do any check at all. You'll survive this, believe me.

[linux-rox]

Did you get this checksum?

Code: Select all

40a9988cc6edd253bff9fcab422aec1b2c81ab3aa4d34b91b08277592c5fab28

If so, you can skip the authentication step. I've run the GPG check on the sha256sum.txt file (I'm using 64 bit, but it's the same file). It's good.

And, while I agree this is a perverse hurdle, it's not the most difficult computer issue ever. Just something you've not done before.

[DECH]

Thanks for the response(s); lesson learned for the time being i.e. don't attempt an undertaking such as running Linux unless there is a very comprehensive guide; tested and edited probably multiple times to reduce ambiguities and specifically including and mentioning a particular computer or it being included in a particular class. By all reports no one has successfully installed one on this type of machine for many years and those distro's are now obsolete - so I would have saved wasting a lot of time and energy and given up before starting had I have taken that route. So it's farewell to Linux; I don't intend revisiting this area so pls. don't bother responding.

[linux-rox]

Wait, please don't go. We want you ... we need you. Life won't be worth living if you give up on us now.

[LinnyMinny]

I totally agree with the original post. Those directions on verify are clear as mud.

I've taken to downloading from 2 or 3 servers, and if the files are the same size exactly, I figure I'm good. I run what checksums I can, the integrity check, but can't figure out how to verify the checksums txt.gpg (the last step). Maybe AI will clarify at some point.

[dave0808]

but can't figure out how to verify the checksums txt.gpg (the last step). Maybe AI will clarify at some point.

You don't need a so-called AI, as @george7-cal verified the checksum file in the last step posted...

Code: Select all

gpg --verify sha256sum.txt.gpg sha256sum.txt

Watch for the line that states "Good signature"