Verifying the Linux Mint 18 ISO file

Linux Mint 18 (Sarah) was released a few days ago and I wanted to try the new version. However, I recalled that Mint’s web site had been hacked in February and a compromised version of the ISO file for Linux Mint 17.3 Cinnamon made available for downloading. Now, while this issue was quickly fixed, and greater security measures put in place, I thought it only reasonable to check the validity of the Mint 18 ISO file. However, the instructions provided on Mint’s web site weren’t entirely clear – nor accurate.

In particular, the very first command that was provided (gpg –recv-key A25BAE09) produced an error message that “no keyserver known (use option –keyserver)”. Some searching on Google identified a command – with a valid keyserver – that did work. A note on this, and some further clarification of the various steps involved to validate the downloaded ISO file, might be of value for some end users.

(1) The first thing to do is to download the ISO file. For this, I like to use the wget command (See: W-getting Ubuntu distros). Also, being located in the Great White North, my chosen source in the mirror supported by the University of Waterloo’s Computer Science Club. My distro of choice is the Mate edition of Linux Mint 18 (linuxmint-18-mate-64bit.iso). The download command is thus:

wget -c http://mirror.csclub.uwaterloo.ca/linuxmint/stable/18/
linuxmint-18-mate-64bit.iso

(2) Two additional files are needed, sha256sum.txt and sha256sum.txt.gpg, both of which are in the same folder as the above-noted ISO file. These files can be obtained using wget commands similar to the above.

(3) Now, it’s time to get the security key using the (valid!) command:

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys A25BAE09

This creates the hidden folder .gnupg inside the Home folder, downloads and stores the PGP security key for the Mint 18 distro from the keyserver at ubuntu.com. Several lines of text will be displayed as a result of the above command; the most noteworthy being:

gpg: key A25BAE09: public key "Linux Mint ISO Signing Key 
<root@linuxmint.com>" imported

(4) Now we need to verify that this downloaded security key can be trusted. We use the command:

gpg --list-keys --with-fingerprint

The “Key fingerprint” will be listed as 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 which can be matched exactly to the value shown on Mint’s web site (https://linuxmint.com/verify.php).

(5) The file sha256sum.txt contains the hash signatures for all of the Mint 18 distros – the Cinnamon and Mate editions, for both 32-bit and 64-bit computers. The next step is to ensure that this file is trustworthy and hence the signatures themselves are valid. Issue the command:

gpg --verify sha256sum.txt.gpg sha256sum.txt

Once again, several of lines of output are generated. In this case, the important line to note is:

gpg: Good signature from "Linux Mint ISO Signing Key <
root@linuxmint.com>"

(6) Finally, we are ready to verify our downloaded distro. To do so, we use the command:

sha256sum -c sha256sum.txt 2>&1 | grep OK

After a few seconds, the command responds with the validation string:

linuxmint-18-mate-64bit.iso: OK

This final command is somewhat cryptic so a few words of explanation are in order. To check just the single ISO file, we could use the command:

sha256sum linuxmint-18-mate-64bit.iso

This would generate the SHA256 hash value which we could then manually compare with the value posted on Mint’s web site (https://linuxmint.com/verify.php). However, there are 64 individual characters to compare. This is a chore and potentially subject to human error. Instead, we use the sha256sum.txt file which contains a list of the ISO files and their checksums. The sha256sum program processes each of the file names, ignores building a checksum for any file that isn’t present on our computer (i.e. distros that we haven’t downloaded), while creating a checksum for the 64-bit Mate edition of Mint 18 (which we have downloaded). The results are piped to grep and filtered for OK which indicates successful validation of the 64-bit Mate version of Mint 18.

So, after all that effort, we are now assured that we have a valid PGP security key for Mint 18, the hash tags for the Mint 18 distros are similarly valid and, in particular, that the downloaded file linuxmint-18-mate-64bit.iso is acceptable for our use.

Now, it’s time to try Mint 18!

References:

Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
http://blog.linuxmint.com/?p=2994

How to verify ISO images
https://linuxmint.com/verify.php

How to verify ISO images – “gpg –recv-key A25BAE09” doesn’t work
https://forums.linuxmint.com/viewtopic.php?f=90&t=224399

How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With
http://www.howtogeek.com/246332/how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with/

HowToSHA256SUM
https://help.ubuntu.com/community/HowToSHA256SUM

Advertisements
This entry was posted in Commands, Mint and tagged , . Bookmark the permalink.

8 Responses to Verifying the Linux Mint 18 ISO file

  1. Don Benoit says:

    But where is the sha256sum.txt file? Is it in the extracted ISO file. If so, what directory?

    • Alan German says:

      Don:

      The checksum file will be in the same folder from which you download the ISO file. For example, on the mirror at the University of Waterloo’s Computer Science Club, the folder for the current release of Linux Mint contains the following:

      Index of /linuxmint/stable/18/
      ../
      linuxmint-18-cinnamon-32bit.iso 28-Jun-2016 14:41 1G
      linuxmint-18-cinnamon-64bit.iso 28-Jun-2016 12:50 2G
      linuxmint-18-mate-32bit.iso 28-Jun-2016 15:44 2G
      linuxmint-18-mate-64bit.iso 28-Jun-2016 13:49 2G
      sha256sum.txt 28-Jun-2016 16:32 384
      sha256sum.txt.gpg 30-Jun-2016 11:16 819

      You need to download the specific ISO file for your distro of choice and your CPU, and both sha256sum files.

      Alan

  2. Giovanni says:

    Hi
    I am a total noob i have not understand how to verify the iso image. I know where to found the sha256sum.txt and sha256sum.txt.gpg but how i download them? Do i have to copy and past them with writer? I only know to put them on the same directory of the iso. I wont to install mint 18 32 bit can i use the process you displayed? I have not understand the last part. What is sha256sum program? Is the process to get the security key safe or i risk to ruin the stability of my os? Sorry for being quite dumb and for bad english.

    • Alan German says:

      Giovanni:

      sha256sum.txt and sha256sum.txt.gpg are just text files. I indicated that I downloaded them with the wget command (that I also used to download the ISO distro file). However, you could also download them using a web browser (e.g. Firefox).

      Verifying the 32-bit ISO will use a command in the same format as I have indicated; however, you will need to use the specific file name for your version of the distro.

      On my system, the sha256sum program is already installed in usr/bin so all that is required is to run the command.

      Obtaining the security key just creates a folder and stores the key. This won’t affect the operation of the OS.

      I hope the above helps to clarify the process; however, please don’t hesitate to request any further information should this be necessary.

      Alan

  3. Val says:

    Hi, I am also a confused newbie. I am downloading the ISO file to a USB via an iMac and plan to install Linux Mate 64-bit on a Dell Vostro 1510 which currently runs Vista Business – but I want to wipe the hard drive to install only Linux Mate 64-bit version. So, how do I validate the ISO? Do I use the command-prompt window on the Vostro while I still have Vista installed (I have used the command-prompt window before to run sfc/scan now but that’s about it)? I also just located the Terminal window on the iMac but have never used it before. Will I need a special file to install Linux Mate from the ISO on USB or will I just be able to click and install from the USB onto my Vostro? Thanks for sharing your expertise!

    Val

    • Alan German says:

      Val:

      Firstly, let me say that I know nothing about Apple computers so I’m the wrong person to ask about iMacs.

      The instructions on verifying the ISO download were for a working Linux system. Under Windows, I have only ever checked the hash sum for a downloaded ISO file. This at least confirms that the file was downloaded correctly. To do this, you can use a utility such as MD5 and SHA Checksum Utility (https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/). I think it is extremely unlikely that, currently, an ISO file from a reputable source will be compromised so a more complete verification is probably unnecessary.

      In your case, I would recommend the following:

      (1) Make a complete disk image backup of your Vista system using a program such as Macrium Reflect Free Edition (http://www.macrium.com/reflectfree.aspx). Make a rescue disk. You could always use the disk image to recover your original Vista setup if necessary.

      (2) Create a bootable USB drive for the downloaded Linus distro (ISO file) using a program such as Rufus (https://rufus.akeo.ie/). Note that you can’t simply click on an ISO file to run it. The ISO file has to be “burnt” to a bootable medium such as a CD, DVD, or USB drive.

      (3) Install Linux “alongside” Windows Vista so as to produce a dual-boot system. This is normally one of the options when you install a Linux distro on a disk with an existing operating system.

      (4) Run Linux from the dual-boot (grub) menu and make sure that everything works the way that you want.

      (5) Finally, if you still wish to eliminate Vista, remove the Windows partition and re-assign the free disk space to the Linux partition using a program like GParted (http://gparted.org/).

      Hope this helps.

      Alan

  4. Ana says:

    thanks a lot!! =)

  5. I also wrote a article about Linux Mint 18 & about the features about it. Feel free to read it here. 🙂

    https://www.fossgeek.org/linux-os/download-linux-mint-18-sarah/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s