So, you are new to Linux and you want to start learning the powerful open-source operating system kernel. It’s quite easy, go to the website and download the .iso.
But before you start using it on virtualization software such as Oracle VirtualBox or Broadcom’s VMWare, you will want to verify the integrity and authenticity of the .iso. THIS IS VERY IMPORTANT!
Here is the thing, Linux developers uses many mirrors around the world for people to download the software. But the software are not official Linux sites, these are mirrors that simply gave permission to host the file.
Unfortunately, there are some bad people who knows this, so they will modify these .iso’s and put malware or viruses on to them. It is up to you to do your own due diligence of verifying the authenticy of the .iso.
So, nearly every Linux developer will ask you to verify the .iso.
We are going to use Linux Mint as it’s quickly becoming the most popular for people to quickly learn and utilize Linux.
As you can see from the image above, Linux Mint pretty much warns people to verify the integrity and authenticity of the .iso image you download from a mirror. Download both files to where your .iso will be downloaded to. Most people will have it go to their downloads directory.
Integrity Check
There is a text file titled sha256sum.txt and you will notice in this text are the following:
ccf482436df954c0ad6d41123a49fde79352ca71f7a684a97d5e0a0c39d7f39f *linuxmint-22.1-cinnamon-64bit.iso d286306d0f40bd7268f08c523ece5fba87c0369a27a72465a19447e3606c5fa0 *linuxmint-22.1-mate-64bit.iso 6451496af35e6855ffe1454f061993ea9cb884d2b4bc8bf17e7d5925ae2ae86d *linuxmint-22.1-xfce-64bit.iso
So, since I am going to use the Linux Mint 22.1 Cinnamon version. Please note the long string with the ccf482436df…
Now, let’s assume you are working on Windows 11 and you are going to type on the Windows SEARCH: CMD
I recommend if you are admin to run the command prompt as an Administrator.
The next step is typing powershell, so it will take you to the powershell screen.
Hopefully you know basic DOS commands but you will want to go to your downloads section, so on powershell, if it’s on c:\windows\system32, go ahead and type cd\
This will put you to the main C:\ prompt.
OK, now depending on where your download folder is, let’s assume it’s on your C:\ drive, so you would type:
cd users\(your user name)\downloads
(cd stands for change directory)
Type dir (this will list your files on your directory) and make sure you know the name of the actual .iso file.
So, now we are going to check the authenticity of the .iso file. For an example, I would type the following command:
CertUtil -hashfile linuxmint-22.1-cinnamon-64bit.iso sha256
And once you hit enter and if it’s done correctly, you will see the hash of the .iso. If it matches the .txt file, you are good with this part. But if it doesn’t match, that is no good and file may have been compromised. Download a different .iso elsewhere.
Authenticity Check
Now it’s time for an Authenticity Check. Because a lot of the information on the Internet on Authenticity Checks are prior to Windows 11, for those on Windows 11, please download the free sharewire file Gpg4win.
Currently, I am using Gpg4win 4.4.0 (aka Cleopatra).
If you had the command prompt and powershell open before, please close it and open a new window (I emphasize this as people neglect to do this part).
So, how to we verify the authenticity of this .iso file?
We are going to go to the command prompt as administrator (like we did when did the integrity check) and type powershell.
Now, we are going to copy and paste the following:
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09When you hit enter, it should show that Linux Mint ISO Signing Key <[email protected]> was imported. But now the final step:
Type this in the prompt: gpg –verify sha256sum.txt.gpg sha256sum.txt
Once you hit enter, it should look something like this:
What you are zeroing on is that third line… .”Good signature from “Linux Mint ISO Signing Key” and the last line which shows the primary key fingerprint, check that it matches the RSA Key on the second line.
If both integrity and authenticity are good, you are good to go and can now install the .iso.
