[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"

Report Bugs, Issues and non- package Requests
Message
Author
User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

[SOLVED] MX-17.1: GPG-verification of ISO outputs "BAD signature"

#1 Post by MX-16_fan »

@dolphin_oracle,
@all:

Downloaded MX-17.1 64-Bit from TENET, South Africa (a SOURCEFORGE mirror).

(Actually I thought I would be downloading from "St. Louis MO, US", as stated on the "Download Links" page (https://mxlinux.org/download-links). However, that entry led right to SOURCEFORGE, as the link's URL is https://sourceforge.net/projects/mx-lin ... l/MX-17.1/. Maybe you'd wish to change that on the website, calling the link "Download from the SOURCEFORGE mirror system" rather than "St. Louis MO, US".)

Anyway, when I tried to verify the ISO's signature, I got a "BAD signature" warning.

What I did was follow the instructions in the Wiki (https://mxlinux.org/wiki/system/signed-iso-files#MX-17) (while assuming that the instructions given for MX-17 would fit for MX-17.1).

By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?

Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.


Greetings, Joe
Last edited by MX-16_fan on Fri Jul 13, 2018 6:36 am, edited 1 time in total.

User avatar
dolphin_oracle
Developer
Posts: 19921
Joined: Sun Dec 16, 2007 1:17 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#2 Post by dolphin_oracle »

you downloaded a monthly snapshot. they are usually signed by adrian.

the official releases are down below in the file pane.

https://sourceforge.net/projects/mx-lin ... l/MX-17.1/
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#3 Post by MX-16_fan »

@dolphin_oracle:
dolphin_oracle wrote: Thu Jul 12, 2018 2:54 pm you downloaded a monthly snapshot.
At least not intentionally. The links I posted are supposed to lead to a final version (i.e. official release). What I get, however, is a "June" version.

Can you reproduce that?


Greetings, Joe

User avatar
towwire
Posts: 645
Joined: Fri Oct 15, 2010 12:15 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#4 Post by towwire »

MX-16_fan wrote: Thu Jul 12, 2018 2:39 pm Cut

By the way: On https://sourceforge.net/projects/mx-lin ... l/MX-17.1/, the file is offered by the name "MX-17.1_x64.iso". That entry is linked to https://sourceforge.net/projects/mx-lin ... o/download. However, when I actually download the file, it is named "MX-17.1_June_x64.iso". Why is that so?

Anyway, the file name seems to be irrelevant when it comes to checking the file against the signature.


Greetings, Joe
Using the first link I get ThisImage
If you click on the "MX-17.1_x64so" you will get that ISO, Which your second link does bring up to download.
If you click on the green area you will get the latest snapshot.

I used your links.
You do not have the required permissions to view the files attached to this post.

User avatar
dolphin_oracle
Developer
Posts: 19921
Joined: Sun Dec 16, 2007 1:17 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#5 Post by dolphin_oracle »

yes i can reproduce, but its the same page I already looked at.

take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.

*edit** what towwire said.
You do not have the required permissions to view the files attached to this post.
http://www.youtube.com/runwiththedolphin
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.

User avatar
Richard
Posts: 1577
Joined: Fri Dec 12, 2008 10:31 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#6 Post by Richard »

Just a FYI,
I find Adrian's monthly updates to be preferable to the old original.

The June build includes all updates up to that date.

Download the original and then another couple of hundred MiB of updates.

Your choice.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#7 Post by MX-16_fan »

@dolphin_oracle:
dolphin_oracle wrote: Thu Jul 12, 2018 3:22 pm yes i can reproduce, (...). take a look at the file names. Our monthly snapshot shows up in the default green button, but the official finals are down below.
Thanks, now I get what the problem is.

Wouldn't be there some way of telling SOURCEFORGE to deliver the official release by default, not the snapshot?

I am asking this from a user journey perspective. When you click on the above-mentioned link in the "Original Release" section of MX-17's website, you'd obviously expect whatever follows to deliver by default an original release.

SOURCEFORGE's "Download Latest Version" isn't really self-explaining - especially given the fact that the "June" ISO has no mentioning of "snapshot" in the file name. "June" could be just an additional information, telling you that 17.1 has been released in June. As I fell for that, others might do so also.


Greetings, Joe

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#8 Post by MX-16_fan »

@Richard:
Richard wrote: Thu Jul 12, 2018 4:14 pm I find Adrian's monthly updates to be preferable to the old original. (...)
Thanks for the information. I don't have any personal preference. Just thinking that when you start off in the "Original Release" section, you should by default be led to an original release.

If someone explicitly wants a snapshot, there's a dedicated "Monthly update/upgrade" section for that on https://mxlinux.org/download-links also. So people who search for a snapshot are already being served well.


Greetings, Joe

User avatar
Richard
Posts: 1577
Joined: Fri Dec 12, 2008 10:31 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#9 Post by Richard »

@MX-16_fan,
You are correct --could be more precise.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.

User avatar
Adrian
Developer
Posts: 8248
Joined: Wed Jul 12, 2006 1:42 am

Re: MX-17.1: GPG-verification of ISO outputs "BAD signature"

#10 Post by Adrian »

Sourceforge has a "download latest version" banner, I choose to display there the latest snapshot because we try to encourage people to get the latest and greatest (with of the bugs squashed hopefully). As far as I know that's not customizable, if we display the March release as the "download latest version" that would also be confusing and incorrect because that's not the latest and it would push a lot of people to use an older version. The link is correct, the official release is displayed there but you also you have the option to download the latest version which I think is a good option to have. If that's confusing hopefully we provided the clarification.

Post Reply

Return to “Bugs and Non-Package Requests Forum”