English
Chinese (Simplified)
Dutch
French
German
Italian
Polish
Portuguese
Russian
SpanishAs of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the appropriate lead dev. Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.
ISO Signature Verification
The MX-Linux and antiX ISO-files are signed by respective lead developers.
The following public signing keys are used to sign corresponding ISO’s:
* Xfce and Xfce-AHS (Advanced Hardware Support)
long key ID: 9B68A1E8B9B6375C: “Dolphin Oracle (mx linux) <[email protected]>”
fingerprint: F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
* KDE and monthly snapshots
long key ID: 70938C780679EE98: “Adrian <[email protected]>”
fingerprint: F27753A18E92E3937E6335E770938C780679EE98
* KDE older version
long key ID: 13C74A22892C32F1 “Steven K Pusser <[email protected]>”
fingerprint: 09DA59435EF8C739C8ED615613C74A22892C32F1
* Fluxbox
long key ID: 409C71B3BCFDED0A “Michael Pavletich <[email protected]>”
fingerprint: 4EB6BDCFC6CA16AE8C3471C2409C71B3BCFDED0A
sub-sig-key: F56C15AA352A5C50A8391BA1E90429470A677B96
* antiX
long key ID: A80582E000067FDD “anticapitalista (change of address) <[email protected]>”
finderprint: 30AA418A0C723D937B50A986A80582E000067FDD
As of October, 2021 the public signing keys have been made available at OpenPGP keyserver keys.openpgp.org.
To perform signature verification of the ISO’s the corresponding public signing key has to be manually received from the keyserver.
Recommended keyserver to use: keys.openpgp.org
Alternative keyserver: pgpkeys.eu, keyserver.ubuntu.com
Example to receive all public signing keys used for MX and antiX ISO’s run this command within a terminal:
gpg --no-default-keyring --keyring gnupg-ring:trustedkeys.gpg --keyserver hkps://keys.openpgp.org --recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDDSucccess of receiving the keys will be shown on the screen:
gpg: key A80582E000067FDD: public key "anticapitalista (change of address) <[email protected]>" imported
gpg: key 13C74A22892C32F1: public key "Steven K Pusser <[email protected]>" imported
gpg: key 9B68A1E8B9B6375C: public key "Dolphin Oracle (mxlinux) <[email protected]>" imported
gpg: key 70938C780679EE98: public key "Adrian <[email protected]>" imported
gpg: key 409C71B3BCFDED0A: public key "Michael Pavletich <[email protected]>" imported
gpg: Total number processed: 5
gpg: imported: 5
To perform signature verification of the ISO:
Download both the ISO file and the signature file into the same folder.
Open terminal within this folder.
Example:
iso-file: MX-21.1_x64.iso
sig-file: MX-21.1_x64.iso.sig
Run GnuPG’s signature verification tool gpgv to verify iso-signature
gpgv --keyring trustedkeys.gpg MX-21.1_x64.iso.sig MX-21.1_x64.isowhich would display this text on the screen:
gpgv: Signature made Fri Apr 8 18:35:35 2022 EDT
gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpgv: Good signature from “Dolphin Oracle (mxlinux) <[email protected]>”
The displayed signature timestamp will be shown within the local timezone of the system.
v. 20220408
16 thoughts on “Signed ISO files”
Got it, thanks.
can this signature be trusted:
[email protected]:/media/demo/E2B/_ISO/MAINMENU
$ gpgv –keyring pubring.kbx MX-21_fluxbox_386.iso.sig MX-21_386.iso
gpgv: Signature made čet 21 okt 2021 10:43:33 CEST
gpgv: using RSA key F56C15AA352A5C50A8391BA1E90429470A677B96
gpgv: BAD signature from “Michael Pavletich “
I get the following return when I check the signature:
Savid-MS-7817:~/Downloads/mx linux 2$ gpgv –keyring pubring.kbx MX-21_x64.iso.sig MX-21_x64.iso
gpgv: can’t allocate lock for ‘/home/david/.gnupg/pubring.kbx’
gpgv: Signature made Wed 20 Oct 2021 01:11:11 SAST
gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpgv: Can’t check signature: No public key
May need to modify the verification command to
gpgv –keyring ~/.gnupg/pubring.gpg MX-21_x64.iso.sig MX-21_x64.iso
to point to the gpg keyring unless your keyring is in the same folder as your iso and .sig.
run:
gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
Hi!
Is it possible to get a file verification method (say, sha256sum), of the MX-21_Workbench_x64.iso I am presently downloading from Sourceforge? Send it via email if necessary.
Thanks a bunch!
May be it will not help you this time, but I had same issue, and that can help someone else. There was just not a file “pubring.kbx” in my “~/pnupg” folder. I used “pubring.gpg” instead, and that worked great in a way like this:
gpgv –keyring pubring.gpg MX-21_x64.iso.sig MX-21_x64.iso
Another problem I faced some earlier was that I couldn’t receive “MX-21_x64.iso.sig” file from terminal. I don’t know how should it be, but after this:
gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
“MX-21_x64.iso.sig” didn’t appear anywhere. I took it from the mirror here: https://mxlinux.org/wiki/system/iso-download-mirrors/
That shoul have beed a reply to Savid, December 24, 2021 at 8:34 PM, but something went wrong. I hope he well allready done.
I’ve done a typo, sorry. There was just not a file “pubring.kbx” in my “~/.gnupg” folder, of course.
When I go to retrieve the keys by copying and pasting the command line code into terminal:
gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
It returns a message saying, ‘gpg: keyserver receive failed: General error’
I also tried the slternative keysevers: pgpkeys.eu, keyserver.ubuntu.com but received the same message.
That works here for me now, so looks like it was something temporary.
This is what I get when I tried today.
gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
gpg: keyring ‘/home/user1/.gnupg/trustedkeys.gpg’ created
gpg: keyserver receive failed: General error
Last time I tried it didn’t show the first line:
gpg: keyring ‘/home/user1/.gnupg/trustedkeys.gpg’ created
But still unable to receive keys.
In most cases such an error like ‘gpg: keyserver receive failed: General error’ is related to server certificate issues due to the used secure https protocol.
Instead of hkps://keys.openpgp.org, you can fetch the keys
the through http this way from pgpkeys.eu or ubuntu’s keyserver:
hkp://pgpkeys.eu
or
hkp://keyserver.ubuntu.com
Thanks
fehlix
It comes up with ‘gpg: no ultimately trusted keys found’ from trying the keysever hkp://pgpkeys.eu
$ gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkp://pgpkeys.eu –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
gpg: key A80582E000067FDD: 2 duplicate signatures removed
gpg: key A80582E000067FDD: public key “anticapitalista (change of address) ” imported
gpg: key 13C74A22892C32F1: 1 duplicate signature removed
gpg: key 13C74A22892C32F1: 1 signature not checked due to a missing key
gpg: key 13C74A22892C32F1: public key “Steven K Pusser ” imported
gpg: key 9B68A1E8B9B6375C: 1 signature not checked due to a missing key
gpg: key 9B68A1E8B9B6375C: public key “Dolphin Oracle (mxlinux) ” imported
gpg: key 70938C780679EE98: 3 duplicate signatures removed
gpg: key 70938C780679EE98: public key “Adrian ” imported
gpg: key 409C71B3BCFDED0A: public key “Michael Pavletich ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 5
gpg: imported: 5
And when I tried the keyserver for hkp://keyserver.ubuntu.com it comes up with most of the same suspect comments such as ‘duplicate signature removed’ and ‘signature not checked due to a missing key’.
$ gpg –no-default-keyring –keyring gnupg-ring:trustedkeys.gpg –keyserver hkp://keyserver.ubuntu.com –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD
gpg: key A80582E000067FDD: 2 duplicate signatures removed
gpg: key A80582E000067FDD: “anticapitalista (change of address) ” not changed
gpg: key 13C74A22892C32F1: 1 duplicate signature removed
gpg: key 13C74A22892C32F1: 1 signature not checked due to a missing key
gpg: key 13C74A22892C32F1: “Steven K Pusser ” not changed
gpg: key 9B68A1E8B9B6375C: 1 signature not checked due to a missing key
gpg: key 9B68A1E8B9B6375C: “Dolphin Oracle (mxlinux) ” not changed
gpg: key 70938C780679EE98: 3 duplicate signatures removed
gpg: key 70938C780679EE98: “Adrian ” not changed
gpg: key 409C71B3BCFDED0A: “Michael Pavletich ” not changed
gpg: Total number processed: 5
gpg: unchanged: 5
The Wiki is for information, not support; please >> forum.mxlinux.org and post your problem there.