Page 1 of 4

Signed iso files

Posted: Fri Mar 18, 2016 4:53 pm
by anticapitalista
All released ISOs of MX-15, antiX-15.1 and the monthly snapshots have been signed to give users an extra level of security; see the the Wiki article for MX-15 for details on how to use.

The dev team strongly advises users to verify that the downloaded iso file is authentic.

Re: Signed iso files

Posted: Fri Mar 18, 2016 5:49 pm
by lucky9
Is it necessary to redownload if ISOs were downloaded on day they were released? Excluding the snapshot/s that is.

Re: Signed iso files

Posted: Fri Mar 18, 2016 5:54 pm
by Adrian
lucky9 wrote:Is it necessary to redownload if ISOs were downloaded on day they were released? Excluding the snapshot/s that is.
No, you can download only the .sig file(s) and check the validity of the .iso files if you still have them somewhere on your computer. If you already installed the .iso and deleted it you don't need to worry, we haven't had our servers hacked, this is just future-proofing and providing additional security from now on.

Re: Signed iso files

Posted: Fri Mar 18, 2016 5:56 pm
by anticapitalista
I'll re-phrase the initial post to make it clearer.

Re: Signed iso files

Posted: Sat Mar 19, 2016 4:45 pm
by Stevo
I've also sent up a .sig file for the latest KDE respin, and am trying an update of the CD-size "Core" MX 15-32.

The wiki now has my keyfile added: http://www.mepiscommunity.org/wiki/syst ... iles#MX-15

Re: Signed iso files

Posted: Mon Mar 21, 2016 7:46 am
by eugen-b
Maybe post the commands in short form on the Sourceforge page. Who will read the wiki before downloading? And consider the positive effect on those who visit the Sourceforge account when they see that antiX and MX use signatures for the ISOs.

Re: Signed iso files

Posted: Mon Mar 21, 2016 8:22 am
by Jerry3904
Good thought, something like:
These ISOs are signed for extra security. Details in the Wiki

Re: Signed iso files

Posted: Mon Mar 21, 2016 3:01 pm
by Stevo
Does anyone know how to verify the sigs in other operating systems? Do Ubuntu or Peppermint provide anything along that line?

And I updated the 700 MiB "Core" MX 15-32. I had to remove Asunder and MTPaint in order to keep the size under the limit. It's now in the repo with the other respin, with a .sig file, and the wiki is updated.

Re: Signed iso files

Posted: Mon Mar 21, 2016 3:06 pm
by anticapitalista

Re: Signed iso files

Posted: Mon Mar 21, 2016 3:56 pm
by Adrian
I see some people sign the md5sums and some people sign the ISOs, from what I understand the advantage of signing the md5sums is that it's a quick operation to sign a one line text file, while it takes a long time to sign a ISO, but if you sign the ISO if you verify the signature you don't need to verify the md5sum too, am I right? (It's still good to provide md5sums because some people don't bother to verify signatures)