Verify Trisquel Download

In order to make sure your download is not corrupt it is important to verify your downloaded .iso.
Note: To do this you must already have GPG installed on your computer.

Once you have downloaded your file as explained on the Download Trisquel page, you should also have received the option to download a .md5 and a .asc file.

To verify the MD5 -
1) Open the .md5 file and take note of the string of text you see.
2) Run the following in a terminal: md5sum trisquel_(editionhere).iso
3) The string should match.

New: MD5 hash has been depreciated in favor of SHA256, you may verify SHA256 as follows -
1) Navigate to: http://cdimage.trisquel.info/trisquel-images/sha256sum.txt and take note of the string for your appropriate .iso
2) Run the following in a terminal: sha256sum trisquel_(editionhere).iso
3) The SHA256 hash should match the one on the document.

Verify the GPG signature
1) Run: gpg --list-packets trisquel_(editionhere).iso.asc
2) You should get the following output:
:signature packet: algo 17, keyid B4EFB9F38D8AEBF1
version 4, created 1414953106, md5len 0, sigclass 0x00
digest algo 2, begin of digest 45 6c
hashed subpkt 2 len 4 (sig created 2014-11-02)
subpkt 16 len 8 (issuer key ID B4EFB9F38D8AEBF1)
data: [156 bits]
data: [158 bits]
3) You will notice the key ID is B4EFB9F38D8AEBF1.
This is Ruben's key (Trisquel's head developer). You may import it as follows:
gpg --keyserver keys.gnupg.net --recv-keys B4EFB9F38D8AEBF1

An alternative method is to download the trisquel-archive-signkey.gpg file and run: gpg --import trisquel-archive-signkey.gpg
This will allow you to import the key without having to connect to a keyserver. Useful for Tor users.

4) Run: gpg --verify trisquel_(editionhere).iso.asc trisquel_(editionhere).iso
You should see the following message:
gpg: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

Note: You may safely ignore the trust warning, if you would like to trust a GPG key you should meet in person to exchange keys, for example at LibrePlanet.

Once you know the hash checks and GPG are "good", you can be sure that your download has not been compromised or corrupted.

Tip: If downloading from torrent via Transmission-GTK you may use "Verify Local Data" to correct any corrupt data from a download.

Revisions

11/09/2014 - 01:55
G4JC
09/30/2015 - 16:41
GNUser