Wiki Table of Contents

Signed ISO files

As of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the appropriate lead dev. Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.

ISO Signature Verification

The MX-Linux and antiX ISO-files are signed by respective lead developers.

The following public signing keys are used to sign corresponding ISO’s:

* Xfce and Xfce-AHS (Advanced Hardware Support)
long key ID: 9B68A1E8B9B6375C: “Dolphin Oracle (mx linux) <[email protected]>”
fingerprint: F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C

* KDE and monthly snapshots
long key ID: 70938C780679EE98: “Adrian <[email protected]>”
fingerprint: F27753A18E92E3937E6335E770938C780679EE98

* KDE older version
long key ID: 13C74A22892C32F1 “Steven K Pusser <[email protected]>”
fingerprint: 09DA59435EF8C739C8ED615613C74A22892C32F1

* Fluxbox
long key ID: 409C71B3BCFDED0A “Michael Pavletich <[email protected]>”
fingerprint: 4EB6BDCFC6CA16AE8C3471C2409C71B3BCFDED0A
sub-sig-key: F56C15AA352A5C50A8391BA1E90429470A677B96

* antiX
long key ID: A80582E000067FDD “anticapitalista (change of address) <[email protected]>”
finderprint: 30AA418A0C723D937B50A986A80582E000067FDD

As of October, 2021 the public signing keys have been made available at OpenPGP keyserver keys.openpgp.org.

To perform signature verification of the ISO’s the corresponding public signing key has to be manually received from the keyserver.

Recommended keyserver to use: keys.openpgp.org

Alternative keyserver: pgpkeys.eu, keyserver.ubuntu.com

Example to receive all public signing keys used for MX and antiX ISO’s run this command within a terminal:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

Succcess of receiving the keys will be shown on the screen:

gpg: key A80582E000067FDD: public key "anticapitalista (change of address) <[email protected]>" imported
gpg: key 13C74A22892C32F1: public key "Steven K Pusser <[email protected]>" imported
gpg: key 9B68A1E8B9B6375C: public key "Dolphin Oracle (mxlinux) <[email protected]>" imported
gpg: key 70938C780679EE98: public key "Adrian <[email protected]>" imported
gpg: key 409C71B3BCFDED0A: public key "Michael Pavletich <[email protected]>" imported
gpg: Total number processed: 5
gpg:               imported: 5


To perform signature verification of the ISO:

Download both the ISO file and the signature file into the same folder.
Open terminal within this folder.

Example:
iso-file: MX-21_x64.iso
sig-file: MX-21_x64.iso.sig

Run GnuPG’s signature verification tool gpgv to verify iso-signature

gpgv --keyring pubring.kbx MX-21_x64.iso.sig MX-21_x64.iso

which would display this text on the screen:

gpgv: Signature made Tue Oct 19 19:11:11 2021 EDT
gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpgv: Good signature from “Dolphin Oracle (mxlinux) <[email protected]>”

The displayed signature timestamp will be shown within the local timezone of the system.

v. 20211021

4 thoughts on “Signed ISO files”

  1. can this signature be trusted:
    [email protected]:/media/demo/E2B/_ISO/MAINMENU
    $ gpgv –keyring pubring.kbx MX-21_fluxbox_386.iso.sig MX-21_386.iso
    gpgv: Signature made čet 21 okt 2021 10:43:33 CEST
    gpgv: using RSA key F56C15AA352A5C50A8391BA1E90429470A677B96
    gpgv: BAD signature from “Michael Pavletich “

    Reply
  2. I get the following return when I check the signature:

    Savid-MS-7817:~/Downloads/mx linux 2$ gpgv –keyring pubring.kbx MX-21_x64.iso.sig MX-21_x64.iso
    gpgv: can’t allocate lock for ‘/home/david/.gnupg/pubring.kbx’
    gpgv: Signature made Wed 20 Oct 2021 01:11:11 SAST
    gpgv: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
    gpgv: Can’t check signature: No public key

    Reply
  3. run:
    gpg –keyserver hkps://keys.openpgp.org –recv-keys 409C71B3BCFDED0A 70938C780679EE98 9B68A1E8B9B6375C 13C74A22892C32F1 A80582E000067FDD

    Reply

Leave a Comment

MX Linux