AV Linux 21.3 : verifying media integrity

What other apps and distros do you use to round out your studio?

Moderators: MattKingUSA, khz

Post Reply
gregariousgus
Established Member
Posts: 10
Joined: Thu Apr 16, 2020 10:46 am
Has thanked: 3 times
Been thanked: 1 time

AV Linux 21.3 : verifying media integrity

Post by gregariousgus »

Hi! I'm very interested in installing and using AV Linux 21.3, and so have downloaded the 4 files that appear here.

https://downloads.bandshed.net/AVL-MXE_21.3/

I'd like to do all I can to verify the integrity/authenticity of my .ISO, or whatever else the files in this directory are meant for.

However I can't find authoritative documentation about how to use them. My linux distro has no context menu that says "show file checksums".

Can anyone give me direction for using command line tools on XFCE Ubuntu Linux? Here or a link to something elsewhere?

Thanks

Top
User avatar
sunrat
Established Member
Posts: 925
Joined: Wed Jul 22, 2020 2:08 pm
Has thanked: 152 times
Been thanked: 247 times

Re: AV Linux 21.3 : verifying media integrity

Post by sunrat »

Checksums are easy. Open a terminal in the same directory as the iso and md5/sha256 files and do:

Code: Select all

md5sum -c AV_Linux_MX_Edition-21.3_ahs_x64.iso.md5

The "-c" option means compare so it will return "OK" if the sums match.
sha256 is the same, just substitute "sha256sum" and the matching file.

Top
User avatar
Impostor
Established Member
Posts: 1392
Joined: Wed Aug 17, 2022 1:55 pm
Has thanked: 148 times
Been thanked: 366 times

Re: AV Linux 21.3 : verifying media integrity

Post by Impostor »

To verify authenticity you'll need the AVLs public gpg key.

Retrieve the AV Linux GPG Key with this command:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 5DBC090C710C87B3

Then in terminal

Code: Select all

gpg --verify *.sig *.iso

or something very much like it..

Of course, if the iso has been compromised, then its shasum file can be compromised, and the keyserver+key instruction can be compromised too :)

Last edited by Impostor on Thu Aug 10, 2023 11:08 am, edited 1 time in total.
Top
gregariousgus
Established Member
Posts: 10
Joined: Thu Apr 16, 2020 10:46 am
Has thanked: 3 times
Been thanked: 1 time

Re: AV Linux 21.3 : verifying media integrity

Post by gregariousgus »

Thanks, this is what I was hoping for!

When I use your command, this is what prints out.

Code: Select all

gpg: Signature made Thu 26 Jan 2023 11:53:52 PM EST
gpg:                using RSA key 81280128CAC09F2BBADB4A775DBC090C710C87B3
gpg: Good signature from "Glen MacArthur <info@bandshed.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8128 0128 CAC0 9F2B BADB  4A77 5DBC 090C 710C 87B3
Top
User avatar
Impostor
Established Member
Posts: 1392
Joined: Wed Aug 17, 2022 1:55 pm
Has thanked: 148 times
Been thanked: 366 times

Re: AV Linux 21.3 : verifying media integrity

Post by Impostor »

gregariousgus wrote: Thu Aug 10, 2023 11:01 am

Thanks, this is what I was hoping for!

When I use your command, this is what prints out.

Code: Select all

gpg: Signature made Thu 26 Jan 2023 11:53:52 PM EST
gpg:                using RSA key 81280128CAC09F2BBADB4A775DBC090C710C87B3
gpg: Good signature from "Glen MacArthur <info@bandshed.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8128 0128 CAC0 9F2B BADB  4A77 5DBC 090C 710C 87B3

That's cool. You'll always get that warning afaik.
This is what matters: gpg: Good signature from "Glen MacArthur [..]"

Top
Post Reply

Return to “Linux Distributions & Other Software”