MD5sums are a simple method of checking the integrity of a downloaded ISO file to see if it is corrupt, but they provide no trusted method for checking the ISO hasn’t been tampered with in some way and you’ve been given a false MD5sum to check it against.
This is where GPG signatures come in, checking the downloaded ISO against its signature file will verify the ISO hasn’t been tampered with. Even if someone were to hack into a website and upload a modified ISO image, and change the MD5sum being shown so it appeared to check out okay, the ISO would not verify correctly against its corresponding GPG key.
How to verify a Peppermint ISO image against its GPG signature file
Once you have downloaded the ISO file, you’ll also need to download its corresponding GPG signature file, links to these can be found next to the ISO download links and at the bottom of this page.
In this EXAMPLE we’re going you verify the Peppermint 7 64bit ISO image (Peppermint-7-20161201-amd64.iso) against its GPG signature file (Peppermint-7-20161201-amd64.iso.sig) .. if you’re checking another Peppermint version, please adjust the commands accordingly.
Place both the Peppermint-7-20161201-amd64.iso and the Peppermint-7-20161201-amd64.iso.sig file in the same directory.
Open a terminal, and ‘cd’ (change directory) into that directory .. so if you had placed both files into your ‘Home’ directory, run:
First you’ll need to check if you already have our GPG key, so run:
and look for:-
pub 2048R/AECF1D2F 2013-05-02 uid Mark Greaves (PCNetSpec) <firstname.lastname@example.org> sub 2048R/65814265 2013-05-02
If it’s not listed, run:
gpg --keyserver keyserver.ubuntu.com --recv-keys AECF1D2F
Which should result in:-
gpg: requesting key AECF1D2F from hkp server keyserver.ubuntu.com gpg: /home/<username>/.gnupg/trustdb.gpg: trustdb created gpg: key AECF1D2F: public key "Mark Greaves (PCNetSpec) <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Next, verify the key by running:
gpg --fingerprint AECF1D2F
Which should return:-
pub 2048R/AECF1D2F 2013-05-02 Key fingerprint = 4A9F 9066 13AF ABED CFA3 92C2 E499 FD0B AECF 1D2F uid Mark Greaves (PCNetSpec) <firstname.lastname@example.org> sub 2048R/65814265 2013-05-02
Now you can verify the ISO image against the GPG signature file, by running:
gpg --verify Peppermint-7-20161201-amd64.iso.sig Peppermint-7-20161201-amd64.iso
(remember to change the above file names if you’re checking a different version of Peppermint against its corresponding signature file)
The output will be similar to:-
gpg: Signature made Thu 23 Jun 2016 13:35:13 BST using RSA key ID AECF1D2F gpg: Good signature from "Mark Greaves (PCNetSpec) <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4A9F 9066 13AF ABED CFA3 92C2 E499 FD0B AECF 1D2F
and contain the line:-
gpg: Good signature from "Mark Greaves (PCNetSpec) <firstname.lastname@example.org>"
If it contains that line the ISO has been verified as intact and unaltered.
If it doesn’t contain that line, or instead states “BAD signature”, the ISO image is corrupt and should be discarded.
You can verify the AECF1D2F key does indeed belong to a Peppermint developer by going to the Peppermint team members page on Launchpad and clicking on Mark-pcnetspec where you should see the key listed under OpenPGP keys.
A graphical method for verifying the signatures in Linux would be to install the gpa package.
sudo apt-get install gpa
The GNU Privacy Assistant (GPA) is a graphical user interface for the GNU Privacy Guard (GnuPG). It can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys.
Windows users can download and install GPG (Gpg4win) from here:
Then substitute “gpg” with “C:\Program Files\Gnu\GnuPg\gpg.exe” in the four commands above.
GPG signature files