I have a quick question regarding verifying the integrity of my 32bit MX Linux iso download. My experience in verifying signatures is from a Kali background.
I have checked the sha256sums and md5sums for the image according to this successfully:
https://mxlinux.org/wiki/system/checkin ... iso-files/
I have checked the signature using the following syntax to get a good result:
gpg --verify MX-19.3_386.iso.sig
Giving me:
"Good signature from "Dolphin ...""
Additionally being cautious and checking using:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso
Gives a similar result
After doing the suggested checks I wanted to do some further checking related to my Kali integrity checks as the only other Linux OS I had checked before. grep worked fine for sha256sums and md5sums and other checks worked fine. However during a further test I ran in to an interesting output, see below.
When I check the signature using the following syntax for the MX related to iso file downloads:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso.sha256
I receive the output:
"BAD signature from "Dolphin Oracle ... ""
EDIT: The command for a Kali signature check from the official Kali site is as follows:
gpg --verify SHA256SUMS.gpg SHA256SUMS
END EDIT
Why is this giving me a bad signature when everything else is fine and it is an openPGP signature similar to the .gpg file used for a Kali signature? Is this something I should be concerned about? Similarly md5sums gives the same result.
I checked the output from a mirror and from direct to get the same result of BAD signature. I noticed the output is very quick compared to other verify commands I have used in the command line.
Verifying Integrity of 32-bit 19.3 MX Linux [Solved]
-
NewDecrypter
- Posts: 6
- Joined: Mon Mar 15, 2021 6:47 pm
Re: Verifying Integrity of 32-bit 19.3 MX Linux
B/c a signature file belongs to exactly to one file to be verified.NewDecrypter wrote: Mon Mar 15, 2021 7:15 pm When I check the signature using the following syntax for the MX related to iso file downloads:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso.sha256
I receive the output:
"BAD signature from "Dolphin Oracle ... ""
...
Why is this giving me a bad signature
So with the gpg-signature MX-19.3_386.iso.sig
you can only verify the file MX-19.3_386.iso, any other file would generated a bad signature.
Note: Other distros do not sign the iso, but the checksum file - it's a kind of matter of test.
With having the checksum file singed, you would still need to run the "verified" checksum (the sha256sum)
to make sure the iso is authenticated and verified.
-
NewDecrypter
- Posts: 6
- Joined: Mon Mar 15, 2021 6:47 pm
Re: Verifying Integrity of 32-bit 19.3 MX Linux
Thanks user fehlix,
I suspected it was something like this differing between distributions but wanted to confirm just so I was certain about the integrity.
I suspected it was something like this differing between distributions but wanted to confirm just so I was certain about the integrity.