Getting BAD Signature when verifying Linux Mint .iso image

1

I've been attempting to install Linux Mint 18 on a hard drive for a while now, but I continuously run into an error when I try to use gpg --verify. The exact error is as follows:

$ sudo gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Thu 30 Jun 2016 05:13:33 AM MDT using RSA key ID A25BAE09
gpg: BAD signature from "Linux Mint ISO Signing Key <root@linuxmint.com>"

UPDATE: Now that I'm retrying all the steps to make sure I did everything correctly, I run into this error when I attempt to import the keys with the commands given on the Linux Mint website, here.

$ gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 
3BD7 
D291 300F 846B A25B AE09"
gpg: requesting key A25BAE09 from hkp server keyserver.ubuntu.com
gpg: [don't know]: invalid packet (ctb=22)
gpg: keydb_get_keyblock failed: eof
gpg: [don't know]: invalid packet (ctb=22)
gpg: /home/morsira/.gnupg/pubring.gpg: copy to `/home/morsira/.gnupg
/pubring.gpg.tmp' failed: invalid packet
gpg: error writing keyring `/home/morsira/.gnupg/pubring.gpg': invalid 
packet
gpg: [don't know]: invalid packet (ctb=22)
gpg: keydb_search failed: invalid packet
gpg: key A25BAE09: public key "[User ID not found]" imported
gpg: error reading `[stream]': invalid packet
gpg: Total number processed: 0
gpg:               imported: 1  (RSA: 1)

Morsira

Posted 2016-07-25T05:14:34.220

Reputation: 11

Maybe the signature is, in fact, bad. Though why are you using sudo for gpg? Also, where did you obtain the .txt file from? – user1686 – 2016-07-25T05:15:46.820

The website for Linux Mint has .txt and .gpg.txt files that are apparently supposed to be saved in the same directory as the .iso image. I used sudo because I'm pretty terrible at this and thought that it might have some effect. – Morsira – 2016-07-25T05:20:15.063

sudo is utterly not needed for something like this and if your verification fails, then the image could be damaged. Just follow the instructions here on the official Linux Mint page and you should be solid. – JakeGould – 2016-07-25T05:36:52.847

Okay, thank you. One other thing, that may or may not be relevant: when I used sha256sum the checksum matched what the site said it should be in the sha256sum.txt file I downloaded. Why would the results be different when I verified the file? – Morsira – 2016-07-25T05:42:04.190

I can't answer why they would be different (other than your command not doing what you thought it should do), but if you got a matching checksum the other way, there's no way itt would match by chance. So you're good. – fixer1234 – 2016-07-25T06:32:43.613

I more have a problem with the error message that's given when I boot up in the OS. That's the biggest reason why I want to verify my .iso. – Morsira – 2016-07-25T06:42:25.927

Mint created a convoluted procedure to verify the ISO because they were once hacked. Your verification errors may relate to that process rather than the checksum. If you manually compared the sha256 values and they matched, I wouldn't be concerned with issues with this verification procedure. If you're getting an error message when you boot Mint, that's a completely different issue, and not likely related to the ISO being corrupted (although it's great that you're trying to rule that out). People may be able to identify the real problem if you add info about the boot problem. – fixer1234 – 2016-07-25T07:00:23.963

I can't quite remember the error that was given, but a forum that I was looking on for answers had a user that attributed it to an .iso that wasn't properly validated when installing the OS with Unetbootin, which is what I'm currently using to install Mint. – Morsira – 2016-07-25T07:04:34.287

Answers

2

There are mainly two ways, you can completely verify a disc's integrity. First you need to verify the checksum. Please follow these steps to verify the checksum:

  1. Run the command below, for your downloaded ISO file to get the checksum.

    sha256sum -b linuxmint-18-cinnamon-64bit-beta.iso
    only edit the downloaded ISO file name while running the command, if yours is different. After running the command you'll find a checksum like this: 8a2d3a3276d36497470156063e02ba894d5b9d562a8edf856dd29ee479eb55c4 *linuxmint-18-cinnamon-64bit-beta.iso

  2. Now you need to open the sha256sum.txt file that you've downloaded from the Linux mint website and make sure if they match. You can normally open the .txt file in any text editor and compare the checksum or use the cat command in Linux. Here is the command:

cat sha256sum.txt

If they match, then this is enough to satisfy that your ISO disc image files are authentic and secure.

Second method: To verify the security signature(gpg), signing key of the disc image, please follow the steps below:

  1. Open a terminal and run this command:

    gpg --recv-key A25BAE09

  2. Now verify the fingerprint by using this command:

    gpg --list-keys --with-fingerprint

    and please check that the fingerprint is:

    Key fingerprint = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09

    uid Linux Mint ISO Signing Key

  3. Now you have to verify the checksum file is correctly signed with the key you just received. Switch to your download folder:

    cd Downloads

  4. Enter this command:

    gpg --verify sha256sum.txt.gpg sha256sum.txt

If it says "Good Signature..." then you're finished. Ignore the warnings that says Key is not certified.

If the above process fails then you can try the whole process by creating your own key. If you need any help please let me know. The above process should work. Thank you.

Animesh Patra

Posted 2016-07-25T05:14:34.220

Reputation: 2 188

Asked: 2016-07-25T05:14:34.220

Viewed: 1 760 times

Active: 2016-07-28T06:20:08.693