Verifying Integrity of 32-bit 19.3 MX Linux [Solved]
Posted: Mon Mar 15, 2021 7:15 pm
I have a quick question regarding verifying the integrity of my 32bit MX Linux iso download. My experience in verifying signatures is from a Kali background.
I have checked the sha256sums and md5sums for the image according to this successfully:
https://mxlinux.org/wiki/system/checkin ... iso-files/
I have checked the signature using the following syntax to get a good result:
gpg --verify MX-19.3_386.iso.sig
Giving me:
"Good signature from "Dolphin ...""
Additionally being cautious and checking using:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso
Gives a similar result
After doing the suggested checks I wanted to do some further checking related to my Kali integrity checks as the only other Linux OS I had checked before. grep worked fine for sha256sums and md5sums and other checks worked fine. However during a further test I ran in to an interesting output, see below.
When I check the signature using the following syntax for the MX related to iso file downloads:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso.sha256
I receive the output:
"BAD signature from "Dolphin Oracle ... ""
EDIT: The command for a Kali signature check from the official Kali site is as follows:
gpg --verify SHA256SUMS.gpg SHA256SUMS
END EDIT
Why is this giving me a bad signature when everything else is fine and it is an openPGP signature similar to the .gpg file used for a Kali signature? Is this something I should be concerned about? Similarly md5sums gives the same result.
I checked the output from a mirror and from direct to get the same result of BAD signature. I noticed the output is very quick compared to other verify commands I have used in the command line.
I have checked the sha256sums and md5sums for the image according to this successfully:
https://mxlinux.org/wiki/system/checkin ... iso-files/
I have checked the signature using the following syntax to get a good result:
gpg --verify MX-19.3_386.iso.sig
Giving me:
"Good signature from "Dolphin ...""
Additionally being cautious and checking using:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso
Gives a similar result
After doing the suggested checks I wanted to do some further checking related to my Kali integrity checks as the only other Linux OS I had checked before. grep worked fine for sha256sums and md5sums and other checks worked fine. However during a further test I ran in to an interesting output, see below.
When I check the signature using the following syntax for the MX related to iso file downloads:
gpg --verify MX-19.3_386.iso.sig MX-19.3_386.iso.sha256
I receive the output:
"BAD signature from "Dolphin Oracle ... ""
EDIT: The command for a Kali signature check from the official Kali site is as follows:
gpg --verify SHA256SUMS.gpg SHA256SUMS
END EDIT
Why is this giving me a bad signature when everything else is fine and it is an openPGP signature similar to the .gpg file used for a Kali signature? Is this something I should be concerned about? Similarly md5sums gives the same result.
I checked the output from a mirror and from direct to get the same result of BAD signature. I noticed the output is very quick compared to other verify commands I have used in the command line.