topic title: Signed iso files
anticapitalista
Posts: 5,956
Site Admin
Joined: 11 Sep 2007
#1
As from antiX-15.1 release, the iso files to be downloaded have been signed by the dev (me).

antiX devs strongly advise users to verify the iso files for authenticity by following the steps below.

iso.sig files here:

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://sourceforge.net/projects/antix-linux/files/Final/antiX-15/"
linktext was:"https://sourceforge.net/projects/antix- ... /antiX-15/"
====================================


Steps:

1. Download the sig files to the same directory as the antiX-xxxx.iso file.

2. Import antiX/MX key from a key server (4A0C4F9C is my key code)

Code: Select all

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C
3. Check key has been imported

Code: Select all

gpg --list-keys
4. Verify key

Code: Select all

gpg --fingerprint 4A0C4F9C
5. Verify the ISO image against the GPG signature file, for example

Code: Select all

gpg --verify antiX-15.1_386-full.iso.sig antiX-15.1_386-full.iso


A genuine iso should show something like this.

Code: Select all

gpg: Signature made Fri 26 Feb 2016 05:02:44 PM EST using RSA key ID 4A0C4F9C
gpg: Good signature from"anticapitalista <antix@operamail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30AA 418A 0C72 3D93 7B50  A986 A805 82E0 0006 7FDD
     Subkey fingerprint: 5ED5 0558 68D3 7498 593A  7E10 F626 26F8 4A0C 4F9C
6. If you see the following warning:

Code: Select all

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ....
The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see next section.
Posts: 452
Jerry
Joined: 12 Sep 2007
#2
Good work! Do you want this go into the antiX/MX Wiki?

I assume we will have a variant for antiX MX as well.
anticapitalista
Posts: 5,956
Site Admin
Joined: 11 Sep 2007
#3
Yes to both!
Posts: 452
Jerry
Joined: 12 Sep 2007
#4
It is somewhat tricky, so I will take my time.

In your first post, it looks like you meant to tell people to download the iso-sig files from here (antiX 15.1, not MX-15):


========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://sourceforge.net/projects/antix-linux/files/Final/antiX-15/"
linktext was:"https://sourceforge.net/projects/antix- ... /antiX-15/"
====================================


Is that right?
anticapitalista
Posts: 5,956
Site Admin
Joined: 11 Sep 2007
#5
Thanks Jerry - corrected.
Posts: 452
Jerry
Joined: 12 Sep 2007
#6
I put a draft in here (feel free to edit):


========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.mepiscommunity.org/wiki/system/signed-iso-files"
linktext was:"http://www.mepiscommunity.org/wiki/syst ... -iso-files"
====================================


Have to figure out how to handle different versions, etc. But not today...