Win 7 - How to Verify the authenticity of the sha256sum.txt file
 

I have a MD5 & SHA Checksum Utility installed for Windows 7.

I can verify a distro ISO image with the key in the sha256sum.txt file.

However I can't figure out how to get the key to authenticate the sha256sum.txt file from the distro pages I've used. All the examples and walk-thrus use "gpg --keyserver" command in the command line which does nothing in Win 7 command line.

The only way I see to authenticate the sha256sum.txt file is to go ahead and use the iso file to install Linux, then use the Linux commmand line to get the key and verify the sha256sum.txt file after the fact and hope that it's good. Otherwise I've already installed a compromised iso.

Also if I install a compromised iso in Virtual Box or in a dual boot, will just removing the VM / dual boot be safe enough or do I have to wipe the drive and reinstall Win 7 and restore my system image?

So you will have to find and install GnuPG (GNU Pretty Good privacy) on your Windows 7 system first to be able to do that. AND, of course, you'll need the public gpg key of the distributing agency/author/site. Thta can be gotten from the keyserver site in the commandline (but, of course, do you trust the keyserver?).
Search the web about "Pretty Good Privacy", how it works and what you need for it.
GnuPG is the gnu version (open source) of that.

Thank you for the info. I found GnuPG and they have a windows version Gpg4win I can try. Looks like it has a bunch of stuff for email, file xfers etc., but hopefully the command to get the key from the keyserver will work. I have been told not to worry about it too much but I've been in the Windows world too long to take risks with malware. Plus I want to learn everything I can about Linux cause I plan to stick with it and not deal with Windows anymore. :)

.....
After checking out Gpg4win it doesn't do what I need - let me run the "gpg ---keyserver" command. There is a lot of documentation but it's all about encrypting and decrypting email and files. "Gpg4win is a Windows version of GnuPG featuring a context menu tool, a crypto manager, and an Outlook plugin to send and receive standard PGP/MIME mails."

So I will just have to hope once I install a distro and then authenticate the sha256sum.txt file it turns out to be good. Too bad distros aren't stored on secure servers so all this validation isn't needed.

And how do you know a server is secure?
That works through public encryption keys, certificates and a public certificate server too, so just like a gpg keyserver you will have an external system too first, be it the keyserver for gpg or the certificate server for https.
And not all browsers trust all cerficate servers (especially Linux sites using ca-certificates ones).

Yeah true but they could at least use https sites instead of just http.

Not sure what you're looking at, but openSUSE, Fedora, Ubuntu, and Manjaro (which you list as something you used), ALL have https links for download. Most direct-pick mirrors are https also.

The gpg tool is running on a system, and will look for some files (on that OS). On linux there are some defaults which are unavailable on windows.
On windows you may try: https://www.gpg4win.org/
From the other hand you can check the md5, sha1, sha256 on windows too - after download, so you can validate the image before booting it.
Finally, if you run a compromised image in VM you can safely remove that image. Most probably it won't (can't) reach your host. If you make dual boot it will depend on you. If the drives/partitions are common you can make some trouble, otherwise it is still safe (to reinstall the compromised system).
But (obviously) there is no correct answer, because all depends on the user and the configuration. (I have never heard a virus which can handle (works on) both windows and unix/linux, but that does not mean it does not exist).

Thanks for sharing

Thanks for the info! I will stick with VirtualBox till I decide on a distro, it seems to be the safest method besides USB or CD and I don't have any CDs or extra USBs to use.

The first distro I want to try is Xubuntu, that mirror is only http instead of https.

I tried gpg4win but it won't let me run the "gpg ---keyserver" command to get the sha256sum.txt file key.

In other groups I have asked the conscensus so far is:
verifying the iso file is the important part, authenticating the sha256sum.txt file isn't, most people totally skip that part.

I will still authenticate the sha256sum.txt file anyway once I have the Linux OS running cause it's easy then, just to be extra safe.