Linux: Verify ISO

[last updated: 2023-07-30]
Linux home page
Dell tower home page
-----

• Whenever you download something from online, there is a possibility it is corrupt or has been tampered with.
  This procedure verifies the accuracy and authenticity of the Linux version iso file you download.

• References:
  • (link to:) it's FOSS - verify iso
  • (link to:) Verify the integrity of the ISO

• There are different instructions for doing this in different online sites. This procedure is what (finally) worked for me
  -----------------------------------

• Download the .iso file desired.
• Preparation:
• 1. Create a directory called "ISO" in your Downloads directory.
• 2. Move the ISO image you downloaded into this directory.
• 3. Download the following files:
  from link "Verify the Integrity..." link above, hover over filename, then right-click > Save Link As,
  and move them into the "ISO" directory.
  sha256sum.txt Contains the SHA256 sums to check the integrity of the ISO images.
  sha256sum.txt.gpg Signed and encrypted version of the sha256sum.txt file.
• Your ~/ISO directory should now contain 3 files:
  Your ISO image, the sha256sum.txt file and the sha256sum.txt.gpg file.
  Don't modify these files in any way.
• Verify Checksum
  ------------------------------------------------------

• Integrity is Verified. Now Proceed with Authenticity Check:
• This procedure will download the Mint signing key, then decrypt the sum text file, and confirm that the text file is authentic.
• Step 1: Download the signing key
• Copy & paste this command into the command window and press Enter to run it:
  gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
• For some users this fails with a keyserver or network error.
  In that case (and only then) try this variant instead:
  gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
• If that too fails, try this one:
  gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
• If that fails too, try again later - the server might be down - otherwise you're out of luck.
• In my case, it appears to have worked (ie. no errors were reported). The following lines were returned:
  gpg: keybox 'C:/Users/Jay/AppData/Roaming/gnupg/pubring.kbx' created
  gpg: C:/Users/Jay/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
  gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key " imported
  gpg: Total number processed: 1
  gpg: imported: 1
• Step 2:
• Copy & paste this command into the command window and press Enter to run it:
  gpg --verify sha256sum.txt.gpg sha256sum.txt
• The following was returned:
  gpg: Signature made 07/29/19 09:43:47 Pacific Daylight Time
  gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
  gpg: Good signature from "Linux Mint ISO Signing Key " [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg: There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
• Step 3:
  Since it says:
  "Good signature from "Linux Mint ISO Signing Key "
  instructions say ISO Authenticity is now Verified as valid and to ignore the "warning".

------------------------------------------------------