Signed ISO files

Version: 

Section: 

System

On this page:

As of the antiX-15.1 release (March 16, 2016), both antiX Main and antiX MX iso files to be downloaded have been signed by the dev (anticapitalista). Also, MX snapshots and remasters are now signed. antiX and MX devs strongly advise users to verify the iso files for authenticity by following the steps below.

antiX 15.1

Steps:

1. Download the sig files to the same directory as the antiX-xxxx.iso file from here:

https://sourceforge.net/projects/antix-linux/files/Final/antiX-15/

2. Import antiX/MX key from a key server (4A0C4F9C is anticapitalista's key code)

gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C

3. Check key has been imported

gpg --list-keys

4. Verify key

gpg --fingerprint 4A0C4F9C 

5. Verify the ISO image against the GPG signature file, for example

gpg --verify antiX-15.1_386-full.iso.sig antiX-15.1_386-full.iso 

A genuine iso should show something like this.

gpg: Signature made Fri 26 Feb 2016 05:02:44 PM EST using RSA key ID 4A0C4F9C
gpg: Good signature from "anticapitalista <antix@operamail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30AA 418A 0C72 3D93 7B50  A986 A805 82E0 0006 7FDD
     Subkey fingerprint: 5ED5 0558 68D3 7498 593A  7E10 F626 26F8 4A0C 4F9C

6. If you see the following warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ....

The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see below.

MX-15

Carry out the following instructions as regular user in a terminal opened in the folder where the downloaded ISO is located.

1. If you have not already downloaded appropriate key, copy/paste this command into a terminal as regular user:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C 0679EE98 F09C5B1C

This will give you anticapitalista's key for the official releases, Adrian's key for the monthly updates, and Stevo's for the KDE and core remasters. You will see a response that the keys are being requested and imported.

gpg: requesting key 4A0C4F9C from hkp server keys.gnupg.net
gpg: requesting key 0679EE98 from hkp server keys.gnupg.net
gpg: requesting key F09C5B1C from hkp server keys.gnupg.net
gpg: key 00067FDD: "anticapitalista <antix@operamail.com>" imported
gpg: key 0679EE98: public key "Adrian <adrian@mxlinux.org>" imported

gpg: key F09C5B1C: public key "Steven Pusser (Stevo) <maintainer@mepiscommunity.org>" imported
gpg: Total number processed: 3
gpg: imported: 3 (RSA: 3)

2. Download the sig files to the same directory as the ISO file:

Official release: https://sourceforge.net/projects/antix-linux/files/Final/MX-15/

Monthly updates and remasters: http://mxrepo.com/snapshots/

3.Then,open a terminal as regular user (F4), enter this command (changing ISO name as necessary to match download):

gpg --verify MX-15_x64.iso.sig

You should see a response like this

gpg: assuming signed data in `MX-15_x64.iso'
gpg: Signature made Fri 26 Feb 2016 05:02:44 PM EST using RSA key ID 4A0C4F9C
gpg: Good signature from "anticapitalista <antix@operamail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30AA 418A 0C72 3D93 7B50  A986 A805 82E0 0006 7FDD
     Subkey fingerprint: 5ED5 0558 68D3 7498 593A  7E10 F626 26F8 4A0C 4F9C

3. The warning in the last few lines is related to the trust that you put in the antiX/MX signing key. The ISO image is still correct, and valid according to the antiX/MX signing key that you downloaded. To remove this warning you would have to personally sign the antiX/MX signing key with your own key, see the next section.

Remove the Warning

For users needing a very high level of security for these ISO keys and wanting to remove the "Warning" that is seen at the end of the above procedures, follow these steps:

1. Generate your own GPG key:

  • MX Linux:
    • GUI: Install if necessary seahorse from the repos, then click Start menu > Accessories > Passwords and Keys. Click File > New > PGP Key, and follow the prompts.
    • CLI: use the "Create a key" link below.
  • antiX Main: use the "Create a key" link below.

2. make sure your GPG is trusted by you (yes, you need to do that)

gpg --edit-key <user's key>
  > trust
  > 5  ("Do you really want to do this?")
  > yes

This sets your key to ultimate trust, which basically means that it is your key (presumably you ultimately trust yourself!)

3. exit the gpg shell by typing the word

quit

4. sign the keys you are going to use with your own key:

gpg --sign-key 4A0C4F9C

gpg --sign-key 0679EE98 << MX only!

gpg --sign-key F09C5B1C << MX only!

 

Links

 

 

 

v. 20160317