What The Quack Is Going On Here.

[bob466]

Over the last few days I've downloaded 5 Mint Cinnamon 22.1 ISOs...ran the Mint Verify Tool and it said 4 out of 5 were bad.

So I decided to verify the checksum a different way with the Terminal...I downloaded one ISO as a torrent and the other from a mirror...what will the results show.

I ran the Mint Verify tool on both and go this...

I then opened the Terminal and ran the sha256sum command

Then compared the checksum with the Mint sha256sum.txt file from the Mint web site which shows the correct checksum...

Notice the checksum on all 3 is exactly the bloody same...what the quack is going on.

The idea of running the checksum is to show if the ISO has been tampered with or not but doesn't mean the ISO is good as I found with Linux Lite...it's enough to put you in the nut house.

 

[osprey]

It's probably worth checking the actual sizes of all the .iso files in comparison to the one that is in the archive. That includes those on the usb used for installing. The ls command will give an exact measure of the sizes of the downloaded .iso files in bytes. A second check of the same can be made using the stat command and checking the Size: output, e.g.:

ls -al <file.iso>

stat <file.iso> | grep -i Size

stat <file.iso> | awk '/Size/{print $1,$2}'

Sometimes writing software introduces padded bytes onto a usb when writing an iso file to it which can interfere with its booting capability.

If the sizes check out, the problem is elsewhere. It's a small check, but good to discount size as a factor in the issue.

 

[CaffeineAddict]

Then compared the checksum with the Mint sha256sum.txt file from the Mint web site which shows the correct checksum...

The file format you show in screenshot is incorrect.

Syntax is:

SHA_SUM <two spaces> filename

But your file contains an asterisk which is garbage.
Remove asterisks and make sure there are 2 spaces between a sum and file name per line, save file and run again:

sha256sum -c SHASUMS

Assuming SHASUMS is file containing sums.

 

[Condobloke]

from : https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html

Integrity check​

To check the integrity of your local ISO file, generate its SHA256 sum and compare it with the sum present in : sha256sum.txt


sha256sum -b yourfile.iso

 

[gvisoc]

Hey @bob466

The first screenshot doesn't complain about the integrity, what it doesn't find is the GPG signature on the server. The signature is correct, but the key used to sign is not present in the server you've downloaded it from. Integrity check (SHASUM) is OK.

The second screenshot says that the file (shasums.txt) doesn't contain a sum for the file you're analysing. This is because your download program has added a '(1)' to the file name as you can see in your picture, most likely because you've download the file to a folder that contained the previous file, same name.

I don't think you're having integrity problems, the screenshots of your post describe other errors. I would ensure that the cryptographic signature is correct and the signature is coming from one of the official keys.

 

[bob466]

The file format you show in screenshot is incorrect.

Syntax is:


But your file contains an asterisk which is garbage.
Remove asterisks and make sure there are 2 spaces between a sum and file name per line, save file and run again:

sha256sum -c SHASUMS

Assuming SHASUMS is file containing sums.

I think you need glasses...where in the terminal command is an asterisk ?

Please read this again...Then compared the checksum with the Mint sha256sum.txt file from the Mint web site which shows the correct checksum.

The Mint sha256sum.txt file contents doesn't run in the Terminal...it's to compare the checksum that was created in the Terminal to the correct checksum in the file.

The second screenshot says that the file (shasums.txt) doesn't contain a sum for the file you're analysing. This is because your download program has added a '(1)' to the file name as you can see in your picture, most likely because you've download the file to a folder that contained the previous file, same name.

The "1" simply means it was the first ISO I downloaded to the Downloads Folder...nothing more.

I ran the checksum 3 different ways and the only problem I got was from the Mint Verify tool but all 3 showed the same checksum.

 

[wizardfromoz]

This is because your download program has added a '(1)' to the file name as you can see in your picture, most likely because you've download the file to a folder that contained the previous file, same name.

Bob, I have already mentioned this in another of your threads.

Having the (1) does make a difference. The nature of hashcheck algorithms (shasum and so on) is that you cannot expect that two files with the same content but different names will be OK. It does not work that way.

Nite all

Wizard
BTW - nice call, Gabe.

 

[gvisoc]

It's simpler than that. If you read the contents of the sha256sum.txt file, you won't find a filename that has the '(1)'.

That's exactly what the error message says: "The SHA256 sums file does not contain sums for that ISO file".

Because there's no filename in that sums file with a '(1)'.

That's what the error message reads.

I am so confident on my reading expertise that if you remove the '(1)' and the checksum verification fails I will pay you a pizza through paypal.

 

[osprey]

Whilst I was preparing a reply, the above has covered some of the points I was to make, but since I've written it out, I'll put it here in case it has some extra help in it.


The terminal output shown in post #1 indicates that the file:
linuxmint-22.1-cinnamon-64bit.iso
is verified, since the output of the sha256sum command applied to the .iso file matches the alpha-numeric sum specified for that iso in the sha256sum.txt file. That .iso file is good according to the terminal output. In this case it appears the terminal method for verifying the iso was effected in the normal manner, i.e.
Download the iso.
Download the two sha256sum files from the same directory.
Have the iso and both sha256sum files in the one directory.
Run: sha256sum -b <file.iso>.
Compare the output of sha256sum command with text in sha256sum.txt

On the matter of the asterisk (*), it is the contents of the sha256sum.txt file that contains the asterisk, as part of its format, but it's not part of any verification command the user runs.

There are two verification processes:
1. to check that the .iso file downloaded has been copied truly and is the same as the .iso file on the server.

2. to check that the sha256sum.txt file is a true copy of that file. For this one needs to import a key with gpg and run a few gpg commands.

The results of the first one has been shown as described above. Often the second one is not done, and found not to be necessary, but opinions differ.

However, the Mint Verify Tool, does evidently require that the gpg key be properly installed on the system, which is the key @gvisoc mentioned in post #5.

The instructions for importing the key are described here: https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html

The problem of "Integrity check failed" in the second GUI image appears to relate to the actual iso being tested. In the image the iso is named as:
linuxmint-22.1-cinnamon-64bit(1).iso
which is not a name that appears in the sha256sum.txt file. In that sha256sum.txt file, the name of the verifiable file is: linuxmint-22.1-cinnamon-64bit.iso, that is, a name without the brackets and their contents in the named iso in that image. In that case it's understandable that the iso file with the brackets in its name would fail to be verified, and the message actually says that the sha256sum file does not contain a sum for an iso image with that name, which is the case.

The "1" simply means it was the first ISO I downloaded to the Downloads Folder...nothing more.

This does not appear to be correct. Normally when a file like: linuxmint-22.1-cinnamon-64bit.iso, is downloaded, it is downloaded with exactly that file name, but when a second download of the same file is run, the second file doesn't overwrite the first file, but it is given another name which includes the brackets and the number 1, and is named: linuxmint-22.1-cinnamon-64bit(1).iso. This numbering differentiates the two downloaded files which are the same. It's a sort of "failsafe" for downloading.This phenomenon was also mentioned by @gvisoc in different words in post #5.

 

[CaffeineAddict]

I think you need glasses...where in the terminal command is an asterisk ?

Please read this again...Then compared the checksum with the Mint sha256sum.txt file from the Mint web site which shows the correct checksum.

The asterisk is not in the terminal but in sha256sum.txt
it should not be there because ISO file name does not start with asterisk.

 

[bob466]

If I'm doing something wrong...lets try another Distro...Lubuntu doing exactly the same.

Mint Verify tool...

Terminal...

GtkHash...

All match the checksum shown...

Note...I downloaded the Lubuntu ISO only once.
Anyway everyone can draw their own conclusions here.

 

[wizardfromoz]

The asterisk is not in the terminal but in sha256sum.txt
it should not be there because ISO file name does not start with asterisk.

@CaffeineAddict - the asterisk is being used as a comment, typically represented by a # or //

Bob did not put it there, I have seen it many times before, it is a vagary of Linux Mint and a number of other distros.

HTH

Wizard

 

[bob466]

Just for the record...I installed Lubuntu in Virtualbox without any problems at the first attempt as it should be but as they say...life wasn't meant to be easy.

 

[CaffeineAddict]

@CaffeineAddict - the asterisk is being used as a comment, typically represented by a # or //

Bob did not put it there, I have seen it many times before, it is a vagary of Linux Mint and a number of other distros.

I just tested this on my ISO which I have, I've added the asterisk and it produced an error:

sha512sum -c SHA512SUMS2
sha512sum: '*debian-12.10.0-amd64-netinst.iso': No such file or directory
*debian-12.10.0-amd64-netinst.iso: FAILED open or read
sha512sum: WARNING: 1 listed file could not be read

Here are contents with asterisk added:

cat SHA512SUMS2

cb089def0684fd93c9c2fbe45fd16ecc809c949a6fd0c91ee199faefe7d4b82b64658a264a13109d59f1a40ac3080be2f7bd3d8bf3e9cdf509add6d72576a79b *debian-12.10.0-amd64-netinst.iso

If I remove the asterisk the command works as expected:

sha512sum -c SHA512SUMS2
debian-12.10.0-amd64-netinst.iso: OK

So I'm not convinced that asterisk should be there.

Beside that here is what others say on the subject:

Is there file format for checksums?

I want to store SHA512 checksum of the file for my application. How to do it in common (popular) way? So this checksum can be used but by third party application too.

unix.stackexchange.com

 

[osprey]

I just tested this on my ISO which I have, I've added the asterisk and it produced an error:

sha512sum -c SHA512SUMS2
sha512sum: '*debian-12.10.0-amd64-netinst.iso': No such file or directory
*debian-12.10.0-amd64-netinst.iso: FAILED open or read
sha512sum: WARNING: 1 listed file could not be read

Here are contents with asterisk added:

cat SHA512SUMS2

If I remove the asterisk the command works as expected:

sha512sum -c SHA512SUMS2
debian-12.10.0-amd64-netinst.iso: OK

So I'm not convinced that asterisk should be there.

Beside that here is what others say on the subject:

Is there file format for checksums?

I want to store SHA512 checksum of the file for my application. How to do it in common (popular) way? So this checksum can be used but by third party application too.

unix.stackexchange.com

It appears that the matter of the asterisks is one of different formats used by different distros.

Linuxmint uses the asterisks, as shown here: https://mirror.aarnet.edu.au/pub/linuxmint/stable/22.1/sha256sum.txt

ccf482436df954c0ad6d41123a49fde7935<snip> *linuxmint-22.1-cinnamon-64bit.iso
d286306d0f40bd7268f08c523ece5fba87c<snip> *linuxmint-22.1-mate-64bit.iso
6451496af35e6855ffe1454f061993ea9cb<snip> *linuxmint-22.1-xfce-64bit.iso

And debian does not use that format, as shown here: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS

ee8d8579128977d7dc39d48f43aec5ab06<snip>  debian-12.10.0-amd64-netinst.iso
233a730e88ae995da5c6634c7ab78a8a9f<snip>  debian-edu-12.10.0-amd64-netinst.iso
31f132da2deedbf126d426ae591ae339b5f<snip>  debian-mac-12.10.0-amd64-netinst.iso

Note that the snips are only of some alphanumerics, but the format is retained. Post #9 mentioned the format aspect.

 

[CaffeineAddict]

It appears that the matter of the asterisks is one of different formats used by different distros.

So format with asterisk can only be recognized by Mint installer (or other OS installer which relies on it) or Mint specific software, but standard programs like sha512sum do not recognize it since they are distro agnostic.

Screenshot in OP post shows the sha256sum does not add asterisk to the output, therefore the -c command option will not work even on Mint, it can only work with Mint software or Mint OS installer.

It sucks when X devs think they know better than what's established standard.

 

[wizardfromoz]

Aah, dear, you are not getting what I am saying @CaffeineAddict , I may not have explained it clearly enough.

I don't have the time for now to try again, and I don't need to reinvent the wheel that good fellow countryman @osprey has kindly put into motion. Perhaps I will try again when I can.

Cheers

Wizard

 

[bob466]

Here is exactly the same thing but with a different ISO...

Oh no I forgot the asterisk.

 

[Condobloke]

Oh no I forgot the asterisk.

 

[bob466]

So after all this I can say...a bad or corrupt ISO was the problem...the good ISO the only one out of 5 installed in Virtualbox without any problems as it should.

The very same ISO was then installed on my spare SSD and runs just fine so far.

It certainly does pay to run the checksum test and install it in Virtualbox and back up your System before installing on your computer.