As of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the appropriate lead dev. Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.
ISO Signature Verification
The MX-Linux and antiX ISO-files are signed by respective lead developers.
The following public signing keys are used to sign corresponding ISO’s:
* Xfce and Xfce-AHS (Advanced Hardware Support)
long key ID: 9B68A1E8B9B6375C: “Dolphin Oracle (mx linux) <[email protected]>”
fingerprint: F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
* KDE and monthly snapshots
long key ID: 70938C780679EE98: “Adrian <[email protected]>”
fingerprint: F27753A18E92E3937E6335E770938C780679EE98
* KDE older version
long key ID: 13C74A22892C32F1 “Steven K Pusser <[email protected]>”
fingerprint: 09DA59435EF8C739C8ED615613C74A22892C32F1
* Fluxbox
long key ID: 409C71B3BCFDED0A “Michael Pavletich <[email protected]>”
fingerprint: 4EB6BDCFC6CA16AE8C3471C2409C71B3BCFDED0A
sub-sig-key: F56C15AA352A5C50A8391BA1E90429470A677B96
* antiX
long key ID: A80582E000067FDD “anticapitalista (change of address) <[email protected]>”
finderprint: 30AA418A0C723D937B50A986A80582E000067FDD
As of October, 2021 the public signing keys have been made available at OpenPGP keyserver keys.openpgp.org.
To perform signature verification of the ISO’s the corresponding public signing key has to be manually received from the keyserver.
Recommended keyserver to use: keys.openpgp.org
Alternative keyserver: pgpkeys.eu, keyserver.ubuntu.com
Example to receive all public signing keys used for MX and antiX ISO’s run this command within a terminal:
gpg --no-default-keyring --keyring gnupg-ring:trustedkeys.gpg --keyserver hkps://keys.openpgp.org --recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDDSucccess of receiving the keys will be shown on the screen:
gpg: key A80582E000067FDD: public key "anticapitalista (change of address) <[email protected]>" imported
gpg: key 13C74A22892C32F1: public key "Steven K Pusser <[email protected]>" imported
gpg: key 9B68A1E8B9B6375C: public key "Dolphin Oracle (mxlinux) <[email protected]>" imported
gpg: key 70938C780679EE98: public key "Adrian <[email protected]>" imported
gpg: key 409C71B3BCFDED0A: public key "Michael Pavletich <[email protected]>" imported
gpg: Total number processed: 5
gpg: imported: 5
To perform signature verification of the ISO:
Download both the ISO file and the signature file into the same folder.
Open terminal within this folder.
Example:
iso-file: MX-21.1_x64.iso
sig-file: MX-21.1_x64.iso.sig
Run GnuPG’s signature verification tool gpgv to verify iso-signature
gpgv --keyring trustedkeys.gpg MX-21.1_x64.iso.sig MX-21.1_x64.isowhich would display this text on the screen:
gpgv: Signature made Fri Apr 8 18:35:35 2022 EDT
gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpgv: Good signature from “Dolphin Oracle (mxlinux) <[email protected]>”
The displayed signature timestamp will be shown within the local timezone of the system.
v. 20220408