Wiki Table of Contents

Signed ISO files

As of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the appropriate lead dev. Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.

ISO Signature Verification

The MX-Linux and antiX ISO-files are signed by respective lead developers.

The following public signing keys are used to sign corresponding ISO’s:

* Xfce and Xfce-AHS (Advanced Hardware Support)
long key ID: 9B68A1E8B9B6375C: “Dolphin Oracle (mx linux) <[email protected]>”
fingerprint: F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C

* KDE and monthly snapshots
long key ID: 70938C780679EE98: “Adrian <[email protected]>”
fingerprint: F27753A18E92E3937E6335E770938C780679EE98

* KDE older version
long key ID: 13C74A22892C32F1 “Steven K Pusser <[email protected]>”
fingerprint: 09DA59435EF8C739C8ED615613C74A22892C32F1

* Fluxbox
long key ID: 409C71B3BCFDED0A “Michael Pavletich <[email protected]>”
fingerprint: 4EB6BDCFC6CA16AE8C3471C2409C71B3BCFDED0A
sub-sig-key: F56C15AA352A5C50A8391BA1E90429470A677B96

* antiX
long key ID: A80582E000067FDD “anticapitalista (change of address) <[email protected]>”
finderprint: 30AA418A0C723D937B50A986A80582E000067FDD

As of October, 2021 the public signing keys have been made available at OpenPGP keyserver keys.openpgp.org.

To perform signature verification of the ISO’s the corresponding public signing key has to be manually received from the keyserver.

Recommended keyserver to use: keys.openpgp.org

Alternative keyserver: pgpkeys.eu, keyserver.ubuntu.com

Example to receive all public signing keys used for MX and antiX ISO’s run this command within a terminal:

gpg --no-default-keyring --keyring gnupg-ring:trustedkeys.gpg --keyserver hkps://keys.openpgp.org  --recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

Succcess of receiving the keys will be shown on the screen:

gpg: key A80582E000067FDD: public key "anticapitalista (change of address) <[email protected]>" imported
gpg: key 13C74A22892C32F1: public key "Steven K Pusser <[email protected]>" imported
gpg: key 9B68A1E8B9B6375C: public key "Dolphin Oracle (mxlinux) <[email protected]>" imported
gpg: key 70938C780679EE98: public key "Adrian <[email protected]>" imported
gpg: key 409C71B3BCFDED0A: public key "Michael Pavletich <[email protected]>" imported
gpg: Total number processed: 5
gpg:               imported: 5


To perform signature verification of the ISO:

Download both the ISO file and the signature file into the same folder.
Open terminal within this folder.

Example:
iso-file: MX-21.1_x64.iso
sig-file: MX-21.1_x64.iso.sig

Run GnuPG’s signature verification tool gpgv to verify iso-signature

gpgv --keyring trustedkeys.gpg  MX-21.1_x64.iso.sig MX-21.1_x64.iso

which would display this text on the screen:

gpgv: Signature made Fri Apr 8 18:35:35 2022 EDT
gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpgv: Good signature from “Dolphin Oracle (mxlinux) <[email protected]>”

The displayed signature timestamp will be shown within the local timezone of the system.

v. 20220408

16 thoughts on “Signed ISO files”

  1. can this signature be trusted:
    [email protected]:/media/demo/E2B/_ISO/MAINMENU
    $ gpgv –keyring pubring.kbx MX-21_fluxbox_386.iso.sig MX-21_386.iso
    gpgv: Signature made čet 21 okt 2021 10:43:33 CEST
    gpgv: using RSA key F56C15AA352A5C50A8391BA1E90429470A677B96
    gpgv: BAD signature from “Michael Pavletich “

    Reply
  2. I get the following return when I check the signature:

    Savid-MS-7817:~/Downloads/mx linux 2$ gpgv –keyring pubring.kbx MX-21_x64.iso.sig MX-21_x64.iso
    gpgv: can’t allocate lock for ‘/home/david/.gnupg/pubring.kbx’
    gpgv: Signature made Wed 20 Oct 2021 01:11:11 SAST
    gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
    gpgv: Can’t check signature: No public key

    Reply
    • May need to modify the verification command to
      gpgv –keyring ~/.gnupg/pubring.gpg MX-21_x64.iso.sig MX-21_x64.iso
      to point to the gpg keyring unless your keyring is in the same folder as your iso and .sig.

      Reply
  3. run:
    gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

    Reply
  4. Hi!
    Is it possible to get a file verification method (say, sha256sum), of the MX-21_Workbench_x64.iso I am presently downloading from Sourceforge? Send it via email if necessary.

    Thanks a bunch!

    Reply
  5. May be it will not help you this time, but I had same issue, and that can help someone else. There was just not a file “pubring.kbx” in my “~/pnupg” folder. I used “pubring.gpg” instead, and that worked great in a way like this:

    gpgv –keyring pubring.gpg MX-21_x64.iso.sig MX-21_x64.iso

    Another problem I faced some earlier was that I couldn’t receive “MX-21_x64.iso.sig” file from terminal. I don’t know how should it be, but after this:

    gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

    “MX-21_x64.iso.sig” didn’t appear anywhere. I took it from the mirror here: https://mxlinux.org/wiki/system/iso-download-mirrors/

    Reply
  6. When I go to retrieve the keys by copying and pasting the command line code into terminal:

    gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

    It returns a message saying, ‘gpg: keyserver receive failed: General error’
    I also tried the slternative keysevers: pgpkeys.eu, keyserver.ubuntu.com but received the same message.

    Reply
      • This is what I get when I tried today.

        gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
        gpg: keyring ‘/home/user1/.gnupg/trustedkeys.gpg’ created
        gpg: keyserver receive failed: General error

        Last time I tried it didn’t show the first line:
        gpg: keyring ‘/home/user1/.gnupg/trustedkeys.gpg’ created

        But still unable to receive keys.

        Reply
    • In most cases such an error like ‘gpg: keyserver receive failed: General error’ is related to server certificate issues due to the used secure https protocol.
      Instead of hkps://keys.openpgp.org, you can fetch the keys
      the through http this way from pgpkeys.eu or ubuntu’s keyserver:
      hkp://pgpkeys.eu
      or
      hkp://keyserver.ubuntu.com
      Thanks
      fehlix

      Reply
      • It comes up with ‘gpg: no ultimately trusted keys found’ from trying the keysever hkp://pgpkeys.eu

        $ gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkp://pgpkeys.eu –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
        gpg: key A80582E000067FDD: 2 duplicate signatures removed
        gpg: key A80582E000067FDD: public key “anticapitalista (change of address) ” imported
        gpg: key 13C74A22892C32F1: 1 duplicate signature removed
        gpg: key 13C74A22892C32F1: 1 signature not checked due to a missing key
        gpg: key 13C74A22892C32F1: public key “Steven K Pusser ” imported
        gpg: key 9B68A1E8B9B6375C: 1 signature not checked due to a missing key
        gpg: key 9B68A1E8B9B6375C: public key “Dolphin Oracle (mxlinux) ” imported
        gpg: key 70938C780679EE98: 3 duplicate signatures removed
        gpg: key 70938C780679EE98: public key “Adrian ” imported
        gpg: key 409C71B3BCFDED0A: public key “Michael Pavletich ” imported
        gpg: no ultimately trusted keys found
        gpg: Total number processed: 5
        gpg: imported: 5

        Reply
      • And when I tried the keyserver for hkp://keyserver.ubuntu.com it comes up with most of the same suspect comments such as ‘duplicate signature removed’ and ‘signature not checked due to a missing key’.

        $ gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkp://keyserver.ubuntu.com –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
        gpg: key A80582E000067FDD: 2 duplicate signatures removed
        gpg: key A80582E000067FDD: “anticapitalista (change of address) ” not changed
        gpg: key 13C74A22892C32F1: 1 duplicate signature removed
        gpg: key 13C74A22892C32F1: 1 signature not checked due to a missing key
        gpg: key 13C74A22892C32F1: “Steven K Pusser ” not changed
        gpg: key 9B68A1E8B9B6375C: 1 signature not checked due to a missing key
        gpg: key 9B68A1E8B9B6375C: “Dolphin Oracle (mxlinux) ” not changed
        gpg: key 70938C780679EE98: 3 duplicate signatures removed
        gpg: key 70938C780679EE98: “Adrian ” not changed
        gpg: key 409C71B3BCFDED0A: “Michael Pavletich ” not changed
        gpg: Total number processed: 5
        gpg: unchanged: 5

        Reply

Leave a Comment

MX Linux