On this page:
As of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the appropriate lead dev. Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.
MX-17 & Later
Carry out the following instructions as regular user in a terminal opened in the folder where the downloaded ISO is located.
1. If you have not already downloaded appropriate key, copy/paste this command into a terminal as regular user:
$
gpg --keyserver
hkps://keys.gnupg.net
--recv-keys B9B6375C 0679EE98 892C32F1
This will give you dolphin_oracle’s key for the official releases, Adrian’s key for the monthly updates, and Stevo’s for the KDE and core remasters. You will see a response that the keys are being requested and imported.
gpg: key 9B68A1E8B9B6375C: public key “Dolphin Oracle (mx linux) <[email protected]>” imported
gpg: key 70938C780679EE98: public key “Adrian <[email protected]>” imported
gpg: key 13C74A22892C32F1: public key “Steven Pusser <[email protected]>” imported
gpg: Total number processed: 3
gpg: imported: 3
2. Download the sig files to the same directory as the ISO file:
Official release: https://sourceforge.net/projects/mx-linux/files/Final/
Monthly updates and remasters: http://mxrepo.com/snapshots/
3.Then,open a terminal as regular user (F4), enter this command (changing ISO name as necessary to match download):
gpg --verify MX-17_x64.iso.sig
You should see a response like this
gpg: assuming signed data in ‘MX-17_x64.iso’
gpg: Signature made Thu 14 Dec 2017 06:28:58 PM EST
gpg: using RSA key F62EDEAA3AE70A9C99DAC4189B68A1E8B9B6375C
gpg: Good signature from “Dolphin Oracle (mxlinux) <[email protected]>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
…….
3. The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see below.
antiX 15.1 and later
Steps:
1. Download the sig files to the same directory as the antiX-xxxx.iso file from here:
2. Import antiX/MX key from a key server (4A0C4F9C is anticapitalista’s key code)
gpg --keyserver hkps://keys.gnupg.net --recv-keys 4A0C4F9C
3. Check key has been imported
gpg --list-keys
4. Verify key
gpg --fingerprint 4A0C4F9C
5. Verify the ISO image against the GPG signature file, for example
gpg --verify antiX-15.1_386-full.iso.sig antiX-15.1_386-full.iso
A genuine iso should show something like this.
gpg: Signature made Fri 26 Feb 2016 05:02:44 PM EST using RSA key ID 4A0C4F9C
gpg: Good signature from “anticapitalista <[email protected]>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30AA 418A 0C72 3D93 7B50 A986 A805 82E0 0006 7FDD
Subkey fingerprint: 5ED5 0558 68D3 7498 593A 7E10 F626 26F8 4A0C 4F9C
6. If you see the following warning:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ….
The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see below.
MX-15 and later
Carry out the following instructions as regular user in a terminal opened in the folder where the downloaded ISO is located.
1. If you have not already downloaded appropriate key, copy/paste this command into a terminal as regular user:
$
gpg --keyserver
hkp://keys.gnupg.net
--recv-keys 4A0C4F9C 0679EE98 F09C5B1C
This will give you anticapitalista’s key for the official releases, Adrian’s key for the monthly updates, and Stevo’s for the KDE and core remasters. You will see a response that the keys are being requested and imported.
gpg: requesting key 4A0C4F9C from hkp server keys.gnupg.net
gpg: requesting key 0679EE98 from hkp server keys.gnupg.net
gpg: requesting key F09C5B1C from hkp server keys.gnupg.net
gpg: key 00067FDD: public key “anticapitalista <[email protected]>” imported
gpg: key 0679EE98: public key “Adrian <[email protected]>” imported
gpg: key F09C5B1C: public key “Steven Pusser (Stevo) <[email protected]>” imported
gpg: Total number processed: 3
gpg: imported: 3 (RSA: 3)
2. Download the sig files to the same directory as the ISO file:
Official release: https://sourceforge.net/projects/antix-linux/files/Final/MX-15/
Monthly updates and remasters: http://mxrepo.com/snapshots/
3.Then,open a terminal as regular user (F4), enter this command (changing ISO name as necessary to match download):
gpg --verify MX-15_x64.iso.sig
You should see a response like this
gpg: assuming signed data in `MX-15_x64.iso’
gpg: Signature made Fri 26 Feb 2016 05:02:44 PM EST using RSA key ID 4A0C4F9C
gpg: Good signature from “anticapitalista <[email protected]>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30AA 418A 0C72 3D93 7B50 A986 A805 82E0 0006 7FDD
Subkey fingerprint: 5ED5 0558 68D3 7498 593A 7E10 F626 26F8 4A0C 4F9C
3. The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see the next section.
Remove the Warning
For users needing a very high level of security for these ISO keys and wanting to remove the “Warning” that is seen at the end of the above procedures, follow these steps:
1. Generate your own GPG key:
- MX Linux:
- GUI: Install if necessary seahorse from the repos, then click Start menu > Accessories > Passwords and Keys. Click File > New > PGP Key, and follow the prompts.
- CLI: use the “Create a key” link below.
- antiX Main: use the “Create a key” link below.
2. make sure your GPG is trusted by you (yes, you need to do that)
gpg --edit-key <user's key>
> trust
> 5 ("Do you really want to do this?")
> yes
This sets your key to ultimate trust, which basically means that it is your key (presumably you ultimately trust yourself!)
3. exit the gpg shell by typing the word
quit
4. sign the keys you are going to use with your own key:
gpg --sign-key 4A0C4F9C
gpg --sign-key
0679EE98 << MX only!
gpg --sign-key F09C5B1C << MX only!
Links
- Create a key
- http://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key
- https://www.linux.com/learn/tutorials/760909-pgp-web-of-trust-core-concepts
- https://www.gnupg.org/gph/en/manual/c481.html
v. 20200818
3 thoughts on “Signed ISO files”
Change
–keyserver hkp://keys.gnupg.net
to
–keyserver hkps://keys.gnupg.net
Got it, thanks.
The keyserver is an alias for the new server and the alias may not be working. Try using:
gpg –keyserver hkp://pool.sks-keyservers.net –recv-keys 4A0C4F9C 0679EE98 F09C5B1C