Hello;

I am trying to verify my Linux Mint 18 "Sarah" - Cinnamon (64-bit) ISO. I am using gpg4win Kleopatra to import the key. I type - keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09" into the search box and press Search. Nothing is returned. I also tried it without the quotes.

Thank You,
Joe

The MD5 sum (which I am assume you are using, as you do not specify) is not a gpg key.

See this: https://help.ubuntu.com/community/HowToMD5SUM

Hi Frank;

Thanks for the quick response.

I know the checksum must be calculated, but according to the Linux Mint documentation, not before the signing key is imported. It is that first step
where the problem is encountered.

Thanks Again,
JWebb


The following steps should be performed to verify an ISO image:

Import the signing key:
gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
Browse the main mirror, or choose a mirror near you, and download the ISO image, the sha256sum.txt and the sha256sum.txt.gpg files into the same directory.
Verify the signature on the sha256sum files with the following command (The output of this command should mention that the signature is "Good". Also, if you didn't import keys before on your computer you can ignore the warning "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner."):
gpg --verify sha256sum.txt.gpg sha256sum.txt
Once this is done, the sha256sum.txt can be trusted.
Generate the sha256 sum of your ISO image, and compare it to the sum present in the sha256sums.txt file.
sha256sum -b yourisoimagefile.iso
If the signature was "Good" and the sha256 sums match, you successfully verified the integrity and authenticity of the ISO image.

If you want to follow the instructions on https://linuxmint.com/verify.php, you're supposed to enter gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09" at a Linux terminal or terminal emulator.

The gpg command installed by Gpg4win in Windows may work similarly, but you will have to enter the command at the Windows command prompt, not in a search box.

Most people just check the hash without bothering about the gpg key, but if you want that extra level of security then fair play to you.

Thanks for your response.

I did what you suggested and the output is below. My command was copied directly from the Mint Web site. Because they have been hacked recently, this was strongly suggested, but it failed.

JWebb


C:\Users\Family User\Downloads> gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
gpg: "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09" not a key ID: skipping

C:\Users\Family User\Downloads> gpg --keyserver keyserver.ubuntu.com --recv-key 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
gpg: "27DE" not a key ID: skipping
gpg: "B156" not a key ID: skipping
gpg: "44C6" not a key ID: skipping
gpg: "B3CF" not a key ID: skipping
gpg: "3BD7" not a key ID: skipping
gpg: "D291" not a key ID: skipping
gpg: "300F" not a key ID: skipping
gpg: "846B" not a key ID: skipping
gpg: "A25B" not a key ID: skipping
gpg: "AE09" not a key ID: skipping

1 members found this post helpful.

Thanks, jwebb. I learned something (which is why I hang around here in the first place).

Googling for "not a key ID: skipping" --recv-key produces http://superuser.com/questions/10710...ad-public-keys

This concurs that the command format as given previously doesn't work on Windows, and suggests a workaround for that o/s of the format:

gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

1 members found this post helpful.

hydrurga;

Thanks! That worked.

gpg --keyserver keyserver.ubuntu.com --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

JWebb

Great! Thanks for the feedback, jwebb.

Can you mark the thread as "Solved" please (see "Thread Tools" at the top of the thread).