Budgie ISO corrupted?

ptodd

Hi, I'm a noob to linux. Upon trying to verify the Budgie ISO against the checksum text, it came back as invalid.
Did I do it wrong or is this actually the case?

brent

ptodd I got the new Budgie ISO a few days ago and it took me 3 times to do the hash thing (I forgot to cd, etc) to get the number right. It's on DVD and I use to tinker with my laptop.
I would just try again.
It will be fine. Welcome to Solus.

stocc

ptodd Which checksum text are you referring to? The Hash link on the Budgie download page is the file you need to check against Budgie ISO with sha256sum. The Budgie ISO sha256sum is valid for me.

ptodd

brent Thankyou

ptodd

stocc Thankyou

ptodd

From the downloads page, in the Budgie section, I import the solus public key.
Then I click to download the hash and it opens a new tab in my browser with the following:

3f20e28f91cc1d56b3ae5da8c43cc859240ca74167a7e1e57bbaca135c8f13a1 Solus-Budgie-Release-2025-11-29.iso

So I save that in the same dir as the ISO and public key as a text file then delete the .txt part of the filename. It is still a text file.

Then, to verify the signed checksum file, I run the following from the installation instructions on the solus website:

gpg --verify Solus-Budgie-Release-2025-11-29.iso.sha256sum.sign Solus-Budgie-Release-2025-11-29.iso.sha256sum

That results in the following:

Signature made Sat 29 Nov 2025 00:48:48 GMT
gpg: using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: Good signature from "Solus (Release & Engineering) releng@getsol.us" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5F6 685C AF55 5977 1D9C CB92 618E B360 0BD3 2D59

Is that what it's supposed to say?

Staudey

ptodd So I save that in the same dir as the ISO and public key as a text file then delete the .txt part of the filename. It is still a text file.

What do you mean by that? Why do you have a .txt file extension in the first place? You should be able to simply right-click and "Save page as..." (or "Save link as..." from the Downloads page directly) and it will automatically have the correct .sha256sum extension.

ptodd

I am now getting a result of OK when I run the last line of code to verify the ISO checksum. Previously I didn't get that result. Can't remember what result I previously got, but it wasn't 'OK'.

So I'm guessing that that's the result I want to see that confirms the ISO is good to use?

I had also previously used the ISO verification tool on Linux Mint, but when I tried to verify the SHA256 sums file with the GPG signed file I got the following result:

INTEGRITY CHECK FAILED
The SHA256 sum of the ISO image is incorrect.

ptodd

Staudey Ah, I was left clicking. I'm a predominantly left-click oriented user. I see what you are saying about automatically having the correct extension. Thankyou.

Staudey

The process should look something like this:


> gpg --import solus-releng-pub.gpg                         
gpg: key 618EB3600BD32D59: public key "Solus (Release & Engineering) <releng@getsol.us>" imported
gpg: Total number processed: 1
gpg:               imported: 1

> gpg --verify Solus-Budgie-Release-2025-11-29.iso.sha256sum.sign Solus-Budgie-Release-2025-11-29.iso.sha256sum
gpg: Signature made Sat 29 Nov 2025 01:48:48 CET
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: Good signature from "Solus (Release & Engineering) <releng@getsol.us>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5F6 685C AF55 5977 1D9C  CB92 618E B360 0BD3 2D59


> sha256sum -c Solus-Budgie-Release-2025-11-29.iso.sha256sum | grep OK
Solus-Budgie-Release-2025-11-29.iso: OK

And yes, the OK at the end means that the ISO conforms to the checksum

ptodd

Staudey Why would there be a warning if everything's ok though? The words of the warning are very off-putting. In my mind, there would be no such warning if everything's ok and safe to proceed.

alfisya

https://help.getsol.us/docs/user/quick-start/installation/#verifying-the-iso

brent

ptodd there would be no such warning

traditionally, as counter-intuitive as this seems, every distro I ever used had a line or two of warning messages in the output of some apps that were benign [perhaps exact conditions weren't meant but all else was ok?].

Even if an operation was a complete success you may see it on occasion.

When I just came aboard to Linux I was off-put, too. I would stress about it. It's not a Solus thing by any stretch of the imagination.

A linux thing you just get used to is how I see it-
two cents

Harvey

It is a warning not an error. The warning is because although the sha + signature are in agreement a third party hasn't verified that the signature is genuine. Which is just another layer of trust which costs money and doesn't really add value IMO. The ISO is fine.