Re: Signed iso files
Posted: Sun May 15, 2016 9:43 am
Hi all,
I did both CLI/Terminal and GPA (the GNU Privacy Assistant) and something is not making sense for MX-15 monthly downloads. With the thread here and also with the official MX-thread "how-to" on checking/verifying MX-15 .iso and .iso.sig files provided during download, am running into the following:
Please check this above screenshot of my screen showing you both CLI/terminal response and GPA's response when trying to check/verify:
1) First, anti-capitalista's public key ID is listed as "00067FDD" and not "4A0C4F9C" as provided in the detailed MX-15 Community Forum "How-to Wiki" (www.mepiscommunity.org/wiki/system/signed-iso-files) for verifying MX-15 ISOs. Also, how can two different public-keys, assigned to only one individual (anticapitalista), return the exact same "Primary Key Fingerprint"? This isn't supposed to be possible, unless, well, ---gulp----no need to go there yet (here's looking at you, Linux Mint). Then, as if the primary key fingerprint assigned to two different public keys isn't enough, it all seems to get weirder as how can this second thing be happening;
2) the downloaded files (I download the monthly ISOs--again, check the included pic attachment, for a shot of the files I downloaded) are being trying to be signed by Adrian and not anticapitalista. The MX-15 forum instructions specifically "anticapitalista" and not "Adrian 0679EE98" should be signing the ISOs. Furthermore, verifying through GPA kicks back that even Adrian's verification is "KEY NOT VALID". Why? At least Adrian's one public key is assigned to one primary key fingerprint, unlike anticapitalista's.
Any chance you guys can check what is going on? (if I've screwed the pooch about understanding this all, and done this wrong, apologies...but in my defense I've done, over the past years if not decade, many iso.sig and iso checks/verification, and I've never seen anything, at the least, like anticapitalista's of having two Primary Fingerprints assigned to same public key let alone ISO's being signed by "anticapitlista" but the iso.sig looking for verification from Adrain's.....heck, this is not even a sub-key issue where anticapitalista's weirdness is concerned).
(Also please know, the MX-15_Apr monthly md5 signature comes back clean, but honestly, as we all know, md5 is not so good or confident inspiring nowadays...sha256 at minimum is needed, and most should be migrating to sha512. The MX & Mepis forums not only need to move to HTTPS yesterday, but it is needed to get off of MD5 sum and hop-skip right over sha256 and head straight to sha512. Show us ya mean business, with both https and sha512)
Thanks for any replies about what is going on above!
P.S. I set up MX-15 in a secured, off-network, very isolated (it's own subnet network) inside a VirtuaBox no less, just to get a glimpse of how the OS looks. And the OS looks great, seems to me it is the one of the few who are heading towards that nirvana land that Debian users have been looking/craving for a long time, and where it would also appeals to newby Linux users too Before I use MX-15 full time and let her loose in my home, would very much like to hear the explanation of why the above is occurring during verification )