Linux Mint 18 (Sarah) was released a few days ago and I wanted to try the new version. However, I recalled that Mint’s web site had been hacked in February and a compromised version of the ISO file for Linux Mint 17.3 Cinnamon made available for downloading. Now, while this issue was quickly fixed, and greater security measures put in place, I thought it only reasonable to check the validity of the Mint 18 ISO file. However, the instructions provided on Mint’s web site weren’t entirely clear – nor accurate.
In particular, the very first command that was provided (gpg –recv-key A25BAE09) produced an error message that “no keyserver known (use option –keyserver)”. Some searching on Google identified a command – with a valid keyserver – that did work. A note on this, and some further clarification of the various steps involved to validate the downloaded ISO file, might be of value for some end users.
(1) The first thing to do is to download the ISO file. For this, I like to use the wget command (See: W-getting Ubuntu distros). Also, being located in the Great White North, my chosen source in the mirror supported by the University of Waterloo’s Computer Science Club. My distro of choice is the Mate edition of Linux Mint 18 (linuxmint-18-mate-64bit.iso). The download command is thus:
wget -c http://mirror.csclub.uwaterloo.ca/linuxmint/stable/18/ linuxmint-18-mate-64bit.iso
(2) Two additional files are needed, sha256sum.txt and sha256sum.txt.gpg, both of which are in the same folder as the above-noted ISO file. These files can be obtained using wget commands similar to the above.
(3) Now, it’s time to get the security key using the (valid!) command:
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys A25BAE09
This creates the hidden folder .gnupg inside the Home folder, downloads and stores the PGP security key for the Mint 18 distro from the keyserver at ubuntu.com. Several lines of text will be displayed as a result of the above command; the most noteworthy being:
gpg: key A25BAE09: public key "Linux Mint ISO Signing Key <email@example.com>" imported
(4) Now we need to verify that this downloaded security key can be trusted. We use the command:
gpg --list-keys --with-fingerprint
The “Key fingerprint” will be listed as 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 which can be matched exactly to the value shown on Mint’s web site (https://linuxmint.com/verify.php).
(5) The file sha256sum.txt contains the hash signatures for all of the Mint 18 distros – the Cinnamon and Mate editions, for both 32-bit and 64-bit computers. The next step is to ensure that this file is trustworthy and hence the signatures themselves are valid. Issue the command:
gpg --verify sha256sum.txt.gpg sha256sum.txt
Once again, several of lines of output are generated. In this case, the important line to note is:
gpg: Good signature from "Linux Mint ISO Signing Key < firstname.lastname@example.org>"
(6) Finally, we are ready to verify our downloaded distro. To do so, we use the command:
sha256sum -c sha256sum.txt 2>&1 | grep OK
After a few seconds, the command responds with the validation string:
This final command is somewhat cryptic so a few words of explanation are in order. To check just the single ISO file, we could use the command:
This would generate the SHA256 hash value which we could then manually compare with the value posted on Mint’s web site (https://linuxmint.com/verify.php). However, there are 64 individual characters to compare. This is a chore and potentially subject to human error. Instead, we use the sha256sum.txt file which contains a list of the ISO files and their checksums. The sha256sum program processes each of the file names, ignores building a checksum for any file that isn’t present on our computer (i.e. distros that we haven’t downloaded), while creating a checksum for the 64-bit Mate edition of Mint 18 (which we have downloaded). The results are piped to grep and filtered for OK which indicates successful validation of the 64-bit Mate version of Mint 18.
So, after all that effort, we are now assured that we have a valid PGP security key for Mint 18, the hash tags for the Mint 18 distros are similarly valid and, in particular, that the downloaded file linuxmint-18-mate-64bit.iso is acceptable for our use.
Now, it’s time to try Mint 18!
Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
How to verify ISO images
How to verify ISO images – “gpg –recv-key A25BAE09” doesn’t work
How to Verify a Linux ISO’s Checksum and Confirm It Hasn’t Been Tampered With