[SOLVED] Two questions about the checking of ISOs

[Bertium]

It is very easy to check the download by right click the ISO file. A check program starts to assist the Integrity check and the Authenticity check.

But personally I am confused by two facts.

1. The checksum must be copied manually in to the field though the files are entered. Why this?
2. After successful Integrity check and the Authenticity check an error is always and always reported. Is this harmful?

73 Norbert

[erv]

Interested in Mint LMDE.

Observation: Mint LMDE ISO has no md5 checksum. Once you download it, you use what you got to verify what you got. Man in the middle could easily step in and provide his own ISO which would have his checksums. Correct?

Process is: you download the iso, burn it onto a thumbdrive and then check it with 'md5sum.txt' residing on that thumbdrive. It checks each file one by one. Thorough.

If you received a man-in-the-middle iso, you can't tell.

Correct me please, if I'm making wrong assumptions.

[AZgl1800]

May I suggest that you install GTKhash and use that instead, available in Software Manager

no inputting crc codes, it displays all of them at once,

all you need do, is compare the Results against what that ISO is supposed to be.

[karlchen]

Process is: you download the iso, burn it onto a thumbdrive and then check it with 'md5sum.txt' residing on that thumbdrive. It checks each file one by one. Thorough.
If you received a man-in-the-middle iso, you can't tell.

This is the reason, why you check that the downloaded ISO file is genuine and has not been tampered with, first.
This is done by verifying its sha256 checksum.
This is also what Bertium had done and reported about in the initial post.

The Linux Mint ISO checksums are publically available.
Checking it is a 2 step process:
+ Locally you caclulate the sha256 checksum of the ISO file that you have downloaded
+ Next you compare the calculated sha256 checksum to the one officially published by Linux Mint. If the 2 match, the ISO is OK.

To verify that the officially published checksums are genuine you verify the signing key for the published checksum file.

Instruction on how to do all this manually: https://linuxmint-installation-guide.re ... erify.html

Because new users may not be able to follow the steps properly, most recent LM releases come with a small application which can execute the verification steps for you.

It is very easy to check the download by right click the ISO file. A check program starts to assist the Integrity check and the Authenticity check.

This brings us to the question asked by Bertium:

2. After successful Integrity check and the Authenticity check an error is always and always reported. Is this harmful?

The answer to this question is given on the mentioned page https://linuxmint-installation-guide.re ... erify.html

Note
GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.

So. No, this warning is not harmful.

I would have to look up how to download and import the Linux Mint signature locally. This would make the warning go away as well.

[Bertium]

So. No, this warning is not harmful.

I would have to look up how to download and import the Linux Mint signature locally. This would make the warning go away as well.

Thanks!
So I will ignore this in the future.

Because this post was moved by Moem, I can not mark it as solved. Sorry.

[Moem]

No worries, I've done it for you.