Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"

Report Bugs, Issues and non- pacakage Requests
Message
Author
User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 945
Joined: Mon Feb 13, 2017 12:09 pm

[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"

#1 Post by MX-16_fan » Thu Jul 12, 2018 2:39 pm

@dolphin_oracle,
@all:

Downloaded MX-17.1 64-Bit from TENET, South Africa (a SOURCEFORGE mirror).

(Actually I thought I would be downloading from "St. Louis MO, US", as stated on the "Download Links" page (https://mxlinux.org/download-links). However, that entry led right to SOURCEFORGE, as the link's URL is https://sourceforge.net/projects/mx-lin ... l/MX-17.1/. Maybe you'd wish to change that on the website, calling the link "Download from the SOURCEFORGE mirror system" rather than "St. Louis MO, US".)

Anyway, when I tried to verify the ISO's signature, I got a "BAD signature" warning.

What I did was follow the instructions in the Wiki (https://mxlinux.org/wiki/system/signed-iso-files#MX-17) (while assuming that the instructions given for MX-17 would fit for MX-17.1).

By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?

Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.


Greetings, Joe
Last edited by MX-16_fan on Fri Jul 13, 2018 6:36 am, edited 1 time in total.

User avatar
dolphin_oracle
Forum Veteran
Forum Veteran
Posts: 9294
Joined: Sun Dec 16, 2007 1:17 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#2 Post by dolphin_oracle » Thu Jul 12, 2018 2:54 pm

you downloaded a monthly snapshot. they are usually signed by adrian.

the official releases are down below in the file pane.

https://sourceforge.net/projects/mx-lin ... l/MX-17.1/
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad T530 - MX-17
lenovo s21e & 100s - antiX-17, MX17(live-usb)
FYI: mx "test" repo is not the same thing as debian testing repo.

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 945
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#3 Post by MX-16_fan » Thu Jul 12, 2018 3:18 pm

@dolphin_oracle:
dolphin_oracle wrote:
Thu Jul 12, 2018 2:54 pm
you downloaded a monthly snapshot.
At least not intentionally. The links I posted are supposed to lead to a final version (i.e. official release). What I get, however, is a "June" version.

Can you reproduce that?


Greetings, Joe

User avatar
towwire
Forum Regular
Forum Regular
Posts: 296
Joined: Fri Oct 15, 2010 12:15 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#4 Post by towwire » Thu Jul 12, 2018 3:20 pm

MX-16_fan wrote:
Thu Jul 12, 2018 2:39 pm
Cut

By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?

Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.


Greetings, Joe
Using the first link I get ThisImage
If you click on the "MX-17.1_x64so" you will get that ISO, Which your second link does bring up to download.
If you click on the green area you will get the latest snapshot.

I used your links.
You do not have the required permissions to view the files attached to this post.

User avatar
dolphin_oracle
Forum Veteran
Forum Veteran
Posts: 9294
Joined: Sun Dec 16, 2007 1:17 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#5 Post by dolphin_oracle » Thu Jul 12, 2018 3:22 pm

yes i can reproduce, but its the same page I already looked at.

take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.

*edit** what towwire said.
You do not have the required permissions to view the files attached to this post.
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad T530 - MX-17
lenovo s21e & 100s - antiX-17, MX17(live-usb)
FYI: mx "test" repo is not the same thing as debian testing repo.

User avatar
Richard
Posts: 2028
Joined: Fri Dec 12, 2008 10:31 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#6 Post by Richard » Thu Jul 12, 2018 4:14 pm

Just a FYI,
I find Adrian's monthly updates to be preferable to the old original.

The June build includes all updates up to that date.

Download the original and then another couple of hundred MiB of updates.

Your choice.
MX171 on Lenovo T430-2017: i5-3320M, 8 GBRAM, 4.15.0-1-amd64, intel_pstate, 119GB SSD
MX171 on AA1(ZG5) & EeePC-1005ha: Dual Core N270, 1 GBRAM, 4.15.0-1-686-pae, 150GB HDD
DC9, LibO61, Dbox, PM, FF, mPDFed, CherryT, Vbox. __ Linux Counter #208633

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 945
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#7 Post by MX-16_fan » Thu Jul 12, 2018 4:18 pm

@dolphin_oracle:
dolphin_oracle wrote:
Thu Jul 12, 2018 3:22 pm
yes i can reproduce, (...). take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.
Thanks, now I get what the problem is.

Wouldn't be there some way of telling SOURCEFORGE to deliver the official release by default, not the snapshot?

I am asking this from a user journey perspective. When you click on the above-mentioned link in the "Original Release" section of MX-17's website, you'd obviously expect whatever follows to deliver by default an original release.

SOURCEFORGE's "Download Latest Version" isn't really self-explaining - especially given the fact that the "June" ISO has no mentioning of "snapshot" in the file name. "June" could be just an additional information, telling you that 17.1 has been released in June. As I fell for that, others might do so also.


Greetings, Joe

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 945
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#8 Post by MX-16_fan » Thu Jul 12, 2018 4:21 pm

@Richard:
Richard wrote:
Thu Jul 12, 2018 4:14 pm
I find Adrian's monthly updates to be preferable to the old original. (...)
Thanks for the information. I don't have any personal preference. Just thinking that when you start off in the "Original Release" section, you should by default be led to an original release.

If someone explicitly wants a snapshot, there's a dedicated "Monthly update/upgrade" section for that on https://mxlinux.org/download-links also. So people who search for a snapshot are already being served well.


Greetings, Joe

User avatar
Richard
Posts: 2028
Joined: Fri Dec 12, 2008 10:31 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#9 Post by Richard » Thu Jul 12, 2018 4:25 pm

@MX-16_fan,
You are correct --could be more precise.
MX171 on Lenovo T430-2017: i5-3320M, 8 GBRAM, 4.15.0-1-amd64, intel_pstate, 119GB SSD
MX171 on AA1(ZG5) & EeePC-1005ha: Dual Core N270, 1 GBRAM, 4.15.0-1-686-pae, 150GB HDD
DC9, LibO61, Dbox, PM, FF, mPDFed, CherryT, Vbox. __ Linux Counter #208633

User avatar
Adrian
Forum Veteran
Forum Veteran
Posts: 8873
Joined: Wed Jul 12, 2006 1:42 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#10 Post by Adrian » Thu Jul 12, 2018 4:39 pm

Sourceforge has a "download latest version" banner, I choose to display there the latest snapshot because we try to encourage people to get the latest and greatest (with of the bugs squashed hopefully). As far as I know that's not customizable, if we display the March release as the "download latest version" that would also be confusing and incorrect because that's not the latest and it would push a lot of people to use an older version. The link is correct, the official release is displayed there but you also you have the option to download the latest version which I think is a good option to have. If that's confusing hopefully we provided the clarification.

Post Reply

Return to “Bugs and Non-Package Requests Forum”