[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"
[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"
@dolphin_oracle,
@all:
Downloaded MX-17.1 64-Bit from TENET, South Africa (a SOURCEFORGE mirror).
(Actually I thought I would be downloading from "St. Louis MO, US", as stated on the "Download Links" page (https://mxlinux.org/download-links). However, that entry led right to SOURCEFORGE, as the link's URL is https://sourceforge.net/projects/mx-lin ... l/MX-17.1/. Maybe you'd wish to change that on the website, calling the link "Download from the SOURCEFORGE mirror system" rather than "St. Louis MO, US".)
Anyway, when I tried to verify the ISO's signature, I got a "BAD signature" warning.
What I did was follow the instructions in the Wiki (https://mxlinux.org/wiki/system/signed-iso-files#MX-17) (while assuming that the instructions given for MX-17 would fit for MX-17.1).
By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?
Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.
Greetings, Joe
@all:
Downloaded MX-17.1 64-Bit from TENET, South Africa (a SOURCEFORGE mirror).
(Actually I thought I would be downloading from "St. Louis MO, US", as stated on the "Download Links" page (https://mxlinux.org/download-links). However, that entry led right to SOURCEFORGE, as the link's URL is https://sourceforge.net/projects/mx-lin ... l/MX-17.1/. Maybe you'd wish to change that on the website, calling the link "Download from the SOURCEFORGE mirror system" rather than "St. Louis MO, US".)
Anyway, when I tried to verify the ISO's signature, I got a "BAD signature" warning.
What I did was follow the instructions in the Wiki (https://mxlinux.org/wiki/system/signed-iso-files#MX-17) (while assuming that the instructions given for MX-17 would fit for MX-17.1).
By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?
Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.
Greetings, Joe
Last edited by MX-16_fan on Fri Jul 13, 2018 6:36 am, edited 1 time in total.
- dolphin_oracle
- Developer
- Posts: 20022
- Joined: Sun Dec 16, 2007 1:17 pm
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
you downloaded a monthly snapshot. they are usually signed by adrian.
the official releases are down below in the file pane.
https://sourceforge.net/projects/mx-lin ... l/MX-17.1/
the official releases are down below in the file pane.
https://sourceforge.net/projects/mx-lin ... l/MX-17.1/
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
@dolphin_oracle:
Can you reproduce that?
Greetings, Joe
At least not intentionally. The links I posted are supposed to lead to a final version (i.e. official release). What I get, however, is a "June" version.
Can you reproduce that?
Greetings, Joe
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
Using the first link I get ThisMX-16_fan wrote: ↑Thu Jul 12, 2018 2:39 pm Cut
By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?
Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.
Greetings, Joe
If you click on the "MX-17.1_x64so" you will get that ISO, Which your second link does bring up to download.
If you click on the green area you will get the latest snapshot.
I used your links.
You do not have the required permissions to view the files attached to this post.
- dolphin_oracle
- Developer
- Posts: 20022
- Joined: Sun Dec 16, 2007 1:17 pm
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
yes i can reproduce, but its the same page I already looked at.
take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.
*edit** what towwire said.
take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.
*edit** what towwire said.
You do not have the required permissions to view the files attached to this post.
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
Just a FYI,
I find Adrian's monthly updates to be preferable to the old original.
The June build includes all updates up to that date.
Download the original and then another couple of hundred MiB of updates.
Your choice.
I find Adrian's monthly updates to be preferable to the old original.
The June build includes all updates up to that date.
Download the original and then another couple of hundred MiB of updates.
Your choice.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
@dolphin_oracle:
Wouldn't be there some way of telling SOURCEFORGE to deliver the official release by default, not the snapshot?
I am asking this from a user journey perspective. When you click on the above-mentioned link in the "Original Release" section of MX-17's website, you'd obviously expect whatever follows to deliver by default an original release.
SOURCEFORGE's "Download Latest Version" isn't really self-explaining - especially given the fact that the "June" ISO has no mentioning of "snapshot" in the file name. "June" could be just an additional information, telling you that 17.1 has been released in June. As I fell for that, others might do so also.
Greetings, Joe
Thanks, now I get what the problem is.dolphin_oracle wrote: ↑Thu Jul 12, 2018 3:22 pm yes i can reproduce, (...). take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.
Wouldn't be there some way of telling SOURCEFORGE to deliver the official release by default, not the snapshot?
I am asking this from a user journey perspective. When you click on the above-mentioned link in the "Original Release" section of MX-17's website, you'd obviously expect whatever follows to deliver by default an original release.
SOURCEFORGE's "Download Latest Version" isn't really self-explaining - especially given the fact that the "June" ISO has no mentioning of "snapshot" in the file name. "June" could be just an additional information, telling you that 17.1 has been released in June. As I fell for that, others might do so also.
Greetings, Joe
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
@Richard:
If someone explicitly wants a snapshot, there's a dedicated "Monthly update/upgrade" section for that on https://mxlinux.org/download-links also. So people who search for a snapshot are already being served well.
Greetings, Joe
Thanks for the information. I don't have any personal preference. Just thinking that when you start off in the "Original Release" section, you should by default be led to an original release.
If someone explicitly wants a snapshot, there's a dedicated "Monthly update/upgrade" section for that on https://mxlinux.org/download-links also. So people who search for a snapshot are already being served well.
Greetings, Joe
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
@MX-16_fan,
You are correct --could be more precise.
You are correct --could be more precise.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"
Sourceforge has a "download latest version" banner, I choose to display there the latest snapshot because we try to encourage people to get the latest and greatest (with of the bugs squashed hopefully). As far as I know that's not customizable, if we display the March release as the "download latest version" that would also be confusing and incorrect because that's not the latest and it would push a lot of people to use an older version. The link is correct, the official release is displayed there but you also you have the option to download the latest version which I think is a good option to have. If that's confusing hopefully we provided the clarification.