MX-23.1 ISO Checksums don't match [Solved]

[Mauser]

The MX-23.1 November ISO shows

md5: 93d9c0e49741fbca0fc8181236968a01

sha256: 13593f36ffedc38fece807098e950ab437c26c850806cf79b6aeb72a1dd7621

As for the Sig. file it's

MD5: 86f1329219b0b4b8efe38a3a01c62fba

SHA256: f2e1a1a0de297456cf8207ad52a564e6323e003493bd05bbf3ba40fea0c6a0ba

As you can see they don't match and no matter if I download the October release or November release they never match or how many times I download an ISO. There is something seriously wrong with the MX downloads from Sourceforge that I hope is looked into. I hope everyone checked the download of the MX ISO.

The md5 and sha256 are correct (although we provide none of these files, I provide only the .sha512 and the .sig files for the ISO)

I don't understand what are you doing, do you compare the MD5 of the .iso with the MD5 of the .sig file? Those are not meant to match.

I recommend suing this command to check if the checksum is correct (you need .iso and .sha512 in the same folder):

Code: Select all

sha512sum -c MX-23.1_November_x64.iso.sha512

Or check the .sig directly (which implicitly does a checksum too besides verifying who signed the ISO -- namely me):

Code: Select all

gpg --verify MX-23.1_November_x64.iso.sig

In my case they don't match. What are they for if they are not meant to match and how can you get checksums for it? I ended up getting the October release to match which I installed now.

[fehlix]

The November checksum calculated by sourceforge
do all match to the iso-, sig- and sha516-files
And the sig and sha256-files do match and verified by signature.
The only file missing is the sig for the November Xfce iso.
And yes... The MX-23.1_November_x64.iso.sig is also there...
to performe signature validation check -> see wiki

Strange because my post above showed it didn't match after downloading 4 copies.

Probably the way you try to create and compare those might be special,
and potentially is different to the way I have confirmed the match.
So, may be you tell us what you actually try to compare and how you create those
which do not match. Also it's strongly recommended,
to compare the hash-sums generated by MX not those a 3rd party is generating.
To be sure the iso file is not manipulated, a fairly robust verification,
would be the signature check, b/c a hashsum check can be manipulate together
with the iso anywhere between the server (or on the server) and your download folder.

[Mauser]

The November checksum calculated by sourceforge
do all match to the iso-, sig- and sha516-files
And the sig and sha256-files do match and verified by signature.
The only file missing is the sig for the November Xfce iso.
And yes... The MX-23.1_November_x64.iso.sig is also there...
to performe signature validation check -> see wiki

Strange because my post above showed it didn't match after downloading 4 copies.

Probably the way you try to create and compare those might be special,
and potentially is different to the way I have confirmed the match.
So, may be you tell us what you actually try to compare and how you create those
which do not match. Also it's strongly recommended,
to compare the hash-sums generated by MX not those a 3rd party is generating.
To be sure the iso file is not manipulated, a fairly robust verification,
would be the signature check, b/c a hashsum check can be manipulate together
with the iso anywhere between the server (or on the server) and your download folder.

This is the first time I ever experienced a checksum that didn't match since using in 2015. I have always done it the same way and never had an issue until downloading MX-23. This time it is different for MX-23. Thank you for the reply Fehlix.

[fehlix]

This is the first time I ever experienced a checksum that didn't match since using in 2015. I have always done it the same way and never had an issue until downloading MX-23. This time it is different for MX-23. Thank you for the reply Fehlix.

Thanks, but you don't let us know how you have done it? So, I'm afraid, can't help further.
I never check 3rd party calculated hash-sums, but rather the on provided by the uploader and always check first the digital-signature if available.

[dolphin_oracle]

It could still be a bad download on Mauser's end, but I have verified all the uploaded original release isos and november snapshots. my mistake with the november snapshot earlier was comparing a sha256 sum to a sha512 sum. easy to do, but totally me and my eyeball's fault.

[Adrian]

It could still be a bad download on Mauser's end, but I have verified all the uploaded original release isos and november snapshots. my mistake with the november snapshot earlier was comparing a sha256 sum to a sha512 sum. easy to do, but totally me and my eyeball's fault.

I don't think so, both the MD5 and the SHA256 Mauser listed were correct he just compared them to the MD5 and SHA256 of the .sig file which make no sense.

[towwire]

It could still be a bad download on Mauser's end, but I have verified all the uploaded original release isos and november snapshots. my mistake with the november snapshot earlier was comparing a sha256 sum to a sha512 sum. easy to do, but totally me and my eyeball's fault.

I don't think so, both the MD5 and the SHA256 Mauser listed were correct he just compared them to the MD5 and SHA256 of the .sig file which make no sense.

After he question the checksums, I download the 3 November files, ISO, sha512 and sig. I am on MX21.3 XFCE.

When I right clicked the sha512 file and "Check data integrity" it passed.

I then right clicked on the ISO file and "Compute sha/md5sum", and have the same numbers he had.

You can not compare sha256 to sha512 (looking in file) and if he did it by eye, no match.

My question is how does @Adrian say the numbers were right but for the sig file?

Can someone up date the right click "Compute sha/md5sum" to include sha512 for MX21.3.

I did a test for me that works but is not space right. I am posting it here but don't used it till @Adrian or a developer corrects it or OK's it.

Code: Select all

yad --info --title="Computed checksums for %n" --text="$(echo; echo -n 'md5:     ' `md5sum %n | awk '{print $1}'`; echo; echo 'sha256:' `sha256sum %n | awk '{print $1}'`; echo; echo 'sha512:' `sha512sum %n | awk '{print $1}'`)" --height=280 --center --button=gtk-close | yad --width=350 --height=250 --progress --percentage="50" --auto-kill --auto-close --title="Checksum utility" --text="Calculating checksums for %n"  --center --button=gtk-close

[Adrian]

My question is how does @Adrian say the numbers were right but for the sig file?

That's not what I said, all the numbers are right from what I could see, but if you compare the MD5 of the .iso to the MD5 of the .sig which I guess Mauser did (not sure I understood exactly what he did, but let's go with this interpretation) of course they don't match. It's like comparing the age of a person to their address. The age number is not wrong, the address is not wrong, but they don't match -- because they were never supposed to match.

@towwire that's way too complicated I provide the instructions how to check the .sha256 and if the sig are correct... frankly checking the .sig should be enough because implicitly it checks the integrity of the file too.

[Mauser]

This is the first time I ever experienced a checksum that didn't match since using in 2015. I have always done it the same way and never had an issue until downloading MX-23. This time it is different for MX-23. Thank you for the reply Fehlix.

Thanks, but you don't let us know how you have done it? So, I'm afraid, can't help further.
I never check 3rd party calculated hash-sums, but rather the on provided by the uploader and always check first the digital-signature if available.

Fehlix, I didn't use any 3rd party checksum. I used what was there as always as I have been since using Linux since 2015. I no longer need any help with this issue because I have successfully downloaded a good copy of the October release of MX-23.1 and have installed it yesterday which is why I marked this as solved.