WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

1.1K

I've been trying to download 21.2 cinnamon 64-bit ISO or excuse me I mean verify the ISO. So I have the sha-sum that I can verify with the ISO but then when it comes to importing the Linux mint signing key, it doesn't jive up. It only gives me the last maybe 10 numbers of the key. And then when I go to verify the authenticity it says that I have a bad signature. I've tried like six of these stupid iso from the US. Should I just go to a different country and try my luck there? It doesn't help that I have no idea really what I'm doing other than I'm following really horrible instructions off of the Mint website. They must be written by the guy who writes instructions for Ikea.

I've been trying to download 21.2 cinnamon 64-bit ISO or excuse me I mean verify the ISO. So I have the sha-sum that I can verify with the ISO but then when it comes to importing the Linux mint signing key, it doesn't jive up. It only gives me the last maybe 10 numbers of the key. And then when I go to verify the authenticity it says that I have a bad signature. I've tried like six of these stupid iso from the US. Should I just go to a different country and try my luck there? It doesn't help that I have no idea really what I'm doing other than I'm following really horrible instructions off of the Mint website. They must be written by the guy who writes instructions for Ikea.

(post is archived)

You are currently inside a comment thread.
Click here to see all the comments (18).
[–] 0 pt

Now. I went here... https://linuxmint.com/edition.php?id=305 downloaded the ISO from advancedhosters.com (first US link) Grabbed the sha key and its gpg counterpart on the exact same page, just above the download link i used.

then I followed the instructions written at https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html

That got me this... ____________________________________________________________________________ ╚═══===═══[~]>> gpg --verify /home/beau/Downloads/sha256sum.txt.gpg /home/beau/Downloads/sha256sum.txt gpg: Signature made Fri Sep 29 03:41:09 2023 MST gpg: using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09 gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09

╚═══===═══[~]>> sha256sum -b /home/beau/Downloads/linuxmint-21.2-cinnamon-64bit.iso 116578dda0e03f1421c214acdd66043b586e7afc7474e0796c150ac164a90a2a */home/beau/Downloads/linuxmint-21.2-cinnamon-64bit.iso ______________________________________________________________________________________

Which oddly enough matches the SHA key and GPG verification, given right there on the site, for it...

Instructions looked like plain english to me. maybe you went elsewhere and grabbed something else, then followed another site to do this?

Unsure how your experience could differ. but you didnt really give us any info.

[–] 1 pt

The only issue here is you haven't trusted the Mint key. (You said the hash matches so you're ok)

i.e. The signature is valid but you would need to configure your gpg trust rules to address the second warning. Checkout the gpg handbook for more info.

https://www.gnupg.org/gph/en/manual/x334.html

[–] 0 pt (edited )

I just didnt add it to the message

╚═══===═══[~]>> gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09" gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" importedD7 D291 300F 846B A25B gpg: Total number processed: 1 gpg: imported: 1

Which still left the error.

[–] 0 pt

I have to run out shortly but will have time for a real reply later if I miss with this swing.

I just downloaded the latest version of Mint cinamon from their site then copied the related files on the same page to a directory.

Consider:

Files in the folder: 

ls 
linuxmint-21.2-cinnamon-64bit-edge.iso  sha256sum.txt  sha256sum.txt.gpg

First verify: 

~[@SN-001](/u/SN-001) ~/Desktop/mint $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 29 Sep 2023 06:41:09 AM EDT
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Can't check signature: No public key

Uh oh no key! Get the key from their instructions....

~[@SN-001](/u/SN-001) ~/Desktop/mint $ gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"
gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify again

~[@SN-001](/u/SN-001) ~/Desktop/mint $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Fri 29 Sep 2023 06:41:09 AM EDT
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

This is now a good sha / signature it just isn't trusted. Trust is more like is Bob a good carpenter and who you'll accept that advice from. You have ensured Bob is Bob.

[–] 0 pt

I got that too but it said that it didn't trust the signature. So that to me says that that's not a trusted ISO. Am I incorrect in thinking that?