Page 1 of 1
AV Linux 21.3 : verifying media integrity
Posted: Wed Aug 09, 2023 7:10 pm
by gregariousgus
Hi! I'm very interested in installing and using AV Linux 21.3, and so have downloaded the 4 files that appear here.
https://downloads.bandshed.net/AVL-MXE_21.3/
I'd like to do all I can to verify the integrity/authenticity of my .ISO, or whatever else the files in this directory are meant for.
However I can't find authoritative documentation about how to use them. My linux distro has no context menu that says "show file checksums".
Can anyone give me direction for using command line tools on XFCE Ubuntu Linux? Here or a link to something elsewhere?
Thanks
Re: AV Linux 21.3 : verifying media integrity
Posted: Wed Aug 09, 2023 11:31 pm
by sunrat
Checksums are easy. Open a terminal in the same directory as the iso and md5/sha256 files and do:
Code: Select all
md5sum -c AV_Linux_MX_Edition-21.3_ahs_x64.iso.md5
The "-c" option means compare so it will return "OK" if the sums match.
sha256 is the same, just substitute "sha256sum" and the matching file.
Re: AV Linux 21.3 : verifying media integrity
Posted: Thu Aug 10, 2023 10:38 am
by Impostor
To verify authenticity you'll need the AVLs public gpg key.
Retrieve the AV Linux GPG Key with this command:
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 5DBC090C710C87B3
Then in terminal
or something very much like it..
Of course, if the iso has been compromised, then its shasum file can be compromised, and the keyserver+key instruction can be compromised too :)
Re: AV Linux 21.3 : verifying media integrity
Posted: Thu Aug 10, 2023 11:01 am
by gregariousgus
Thanks, this is what I was hoping for!
When I use your command, this is what prints out.
Code: Select all
gpg: Signature made Thu 26 Jan 2023 11:53:52 PM EST
gpg: using RSA key 81280128CAC09F2BBADB4A775DBC090C710C87B3
gpg: Good signature from "Glen MacArthur <info@bandshed.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8128 0128 CAC0 9F2B BADB 4A77 5DBC 090C 710C 87B3
Re: AV Linux 21.3 : verifying media integrity
Posted: Thu Aug 10, 2023 11:05 am
by Impostor
gregariousgus wrote: ↑Thu Aug 10, 2023 11:01 am
Thanks, this is what I was hoping for!
When I use your command, this is what prints out.
Code: Select all
gpg: Signature made Thu 26 Jan 2023 11:53:52 PM EST
gpg: using RSA key 81280128CAC09F2BBADB4A775DBC090C710C87B3
gpg: Good signature from "Glen MacArthur <info@bandshed.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8128 0128 CAC0 9F2B BADB 4A77 5DBC 090C 710C 87B3
That's cool. You'll always get that warning afaik.
This is what matters: gpg: Good signature from "Glen MacArthur [..]"