Verify Linux Mint

How to verify Linux Mint iso images

View project on GitHub

Welcome!

This guide is meant to be an easy to follow tutorial for verifying the iso images of Linux Mint 17, 17.1, 17.2, 17.3, 18, 18.1, and LMDE 2.

First things first; or, why verify?

Many newcomers to Linux Mint (and even some old-timers) are confused when they hear they should verify their iso image. "What do you mean?" they ask. "What's the point of verifying?"

The usual response is something like this, "Verifying the image lets you know that no one has tampered with the downloaded iso, and keeps you safe." While this is certainly true, it often confuses the poor chap who asked, and he/she either installs Mint without verifying, or leaves Mint alone, assuming that it takes a degree in computer science to use Linux.

Of course, nothing could be further from the truth. Mint is widely recommended as the "newbie's Linux" due to its ease of use and user-friendliness. All sorts of people use Linux Mint, from teenagers to people in their 90s - many of them with no prior computer experience!

But in order to make sure that these people, and that you, have the best experience possible with Linux Mint, the Mint developers recommend that you verify your downloaded Linux Mint iso image before you install Mint. The benefit of this is two-fold:
(1). Verifying shows that nothing went wrong with your download. I have personally seen several cases in which users were having a lot of trouble with Linux Mint, and it turned out they had installed an iso which had been damaged during download. Had they verified Mint before installing, they would have noticed that the iso was damaged and saved themselves a lot of time and frustration.

(2). Today more than ever, cybercriminals want to control your computer and steal your information. It is possible that such a criminal might hack into the Linux Mint website and replace the good Linux Mint iso images with ones they have re-written to do bad things. If you do not verify the Linux Mint iso you download, you will probably not know if it is a good iso or an evil one. If the iso is in fact evil and you install it (depending on what you do on your computer) you could give your identity, bank account numbers, and other important information to these criminals. If, on the other hand, you verify the Mint iso and see that it is not good, you will know not to install it and can keep yourself safe.

In fact, something very similar happened in February 2016. An Eastern European hacker compromised the Linux Mint website and redirected downloads of Linux Mint 17.3 Cinnamon 64-bit to his own server, which had malicious iso images. Thanks to users who checked their iso images and noticed that something was wrong, this was discovered very quickly and the problem fixed before much harm was done. Had the users not checked their iso images, they and many other people could have been hurt.

I hope that this has convinced you of the importance of verifying your downloaded copy of Linux Mint. In the next part of this guide, we'll look at exactly what verification is.

What is verifying?

Verifying is a term that is used in several different ways, but most commonly it means to use a special program to ensure that the downloaded Mint iso is in fact the correct one. This is a two-step process for Mint:

(a) Calculate the sha256sum of the iso, and compare it to the "good" one.
A sha256sum is a type of "checksum", a mathematically-derived word or "string" that can be used to check that a file is a perfect copy of another.

(b) Make sure that the sha256sum you are comparing yours to is correct by using GPG. This is actually the coolest part of the entire process - sha256sums can be faked, but this step, if done properly, cannot be fooled!

In other words, checking the sha256sum shows that your download had no errors, and checking the GPG signature verifies that you have a safe, untampered iso.

How to verify

So let's get to it!
Download the Mint iso, and the files sha256sum.txt and sha256sums.txt.gpg.

Not sure where they are? Here's what you need to do:

Visit this page to see the list of sites that host Mint isos and look for your nation's flag, or that of a nation near you, then click on one of the links. For example, someone in the United States would look for the American flag, and then perhaps choose advancedhosters.com or Havard School of Engineering.

A web page should open with (usually) three folders on it: "debian/", "stable/", and "testing/". If you are downloading Mint 17.x or Mint 18.x, then choose "stable/" and then select the folder with the version you want; if LMDE 2 then choose "debian/". Next, download the iso image, sha256sum.txt, and sha256sum.txt.gpg, all into the same folder (aka directory). For most users, this will automatically be their Downloads folder.

For example, if I wanted to download Mint 17.3 Xfce 32-bit from advancedhosters.com, I would go to that mirror as described above, and then choose stable/ and then 17.3/. Here I can see the Linux Mint 17.3 iso images. I would download linuxmint-17.3-xfce-32bit.iso, sha256sum.txt, and sha256sum.txt.gpg.

Some browsers do not download sha256sum.txt and sha256sum.txt.gpg automatically. Instead, they open the files in a new tab. If this occurs, press Ctrl+S and you will be able to download each file.

The next steps depend on what operating system you are currently using: Windows, OS X (Mac), or Linux.

Windows

Currently in progress... See here in the meantime.

Linux

Most Linux distros already have an sha256sum generator and a GPG client installed. If yours doesn't, check online for instructions on how to install these.

Now open a terminal and cd into the directory that you downloaded the iso and sha256 files. For example, if you saved them to your Downloads folder, then:
cd ~/Downloads

Next, calculate the sha256sum of the Mint iso.
sha256sum <mint-iso-file>
Naturally, you should replace <mint-iso-file> with the correct name of the iso file. This step may take a few minutes.

After you get the sha256sum, compare it to the corresponding one in the sha256sum.txt file. For example, if I had downloaded linuxmint-17.3-xfce-32bit.iso, sha256sum.txt tells me that the correct sha256sum is 

cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b
If this is identical to the output of sha256sum linuxmint-17.3-xfce-32bit.iso, then the download proceeded correctly and we can proceed to the next step.

If the sha256sum does not match, then your download had errors and you have a damaged Linux Mint iso. Delete it and try again.

After the sha256sum is correct, we need to verify the file sha256sum.txt to make sure it is from the Mint developers and not a malicious third party. Since the Mint developers have provided a detached GPG signature, sha256sum.txt.gpg, we will import their signing key and use it to verify the sha256sum.txt file and, by extension, the Mint iso image.

But wait! There are actually two different keys used to sign Linux Mint sha256sum.txt files, depending on the version. Specifically, Mint 18.x uses a newer key, while Mint 17.x and LMDE 2 use an older (but still good) key.
If you have downloaded Mint 18.x (it doesn't matter if it's Cinnamon, KDE, MATE, or Xfce; or 32 or 64 bit), use the following command to import the public key:
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"


If you have downloaded one of the Mint 17.x series, or LMDE 2, use the following command in your terminal to import the public key:
gpg --keyserver keyserver.ubuntu.com --recv-key "E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2"

Now let's verify! Enter the following command into your already-opened terminal:
gpg --verify sha256sum.txt.gpg sha256sum.txt

Hopefully, you'll see something like this (for Mint 18.x): 

$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Wed 07 Sep 2016 22:56:33 AEST using RSA key ID A25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

or this (for Mint 17.x/LMDE 2): 
$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Wed 08 Apr 2015 00:19:15 AEST using DSA key ID 0FF405B2
gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA  666F 3EE6 7F3D 0FF4 05B2

If you see this, then congratulations! You have successfully verified Linux Mint! That wasn't too hard, was it? :-)

Don't worry about the "WARNING: This key is not certified with a trusted signature!" This only means that you have not signed the Mint key with your own key (which you probably don't even have); it's not a message about the safety of the Mint iso itself.

On the other hand, if something is wrong, you'll see something like this: 

$ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Wed 06 Jan 2016 10:06:20 AM CST using DSA key ID 0FF405B2
gpg: BAD signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"
See the line that says "BAD signature"? That's what we don't want. Delete and re-download sha256sum.txt and sha256sum.txt.gpg and try again. If it fails a second time, delete both Mint iso image and the two sha256sum files, choose a different mirror, and work through this again.