Full ISO from Torrent not bootable in Virtual Box

I am attempting to install Endless in Virtual Box. System Win 10 64-bit 8 GB RAM AMD Processor.

My first attempt, VB did not find bootable installation media, set as secondary master ‘optical’ drive.

I did a second d/l at https://torrents.endlessm.com/torrents/eos-amd64-amd64-en-3.5.6-iso.torrent which took 2 days to extract using muTorrent (bitTorrent). I do not trust this d/l to proceed. What is the hash on this file?

Alternately, I downloaded the ‘direct’ ASC file and note that it is a PGP file of 833 bytes, not the 16GB I was expecting.

So where do I go from there?. I can get to PowerShell, BASH, and a Terminal in Windows.

I do not understand from the instructions:

"We recommend that you manually verify the image file you have downloaded prior to writing it to your USB stick. Endless OS images are signed using the Endless Image Signing Key (4096R: CB50 0F7B C923 3FAD 32B4 E720 9E0C 1250 587A 279C), so each .iso file has a corresponding .asc file. You can download the keyring and the .asc file and check the signature using the following command in a terminal:

gpg --verify --keyring=./eos-image-keyring.gpg eos-XXX.iso.asc eos-XXX.iso"

I need the exact command line or other clear steps to proceed to get the ISO.




I am way past your reply.

I am familiar with Virtual Box and have several other Oses running.

My issue is getting a ‘clean’ ISO file from you guys.

Here is what I have ‘mucked’ through as far as the syntax:

gpg --verify --keyring{gpgFile} {SignatureAscFile} {isoTorrentFile}, and lo and behold got a "BAD signature …from Endless Image Signer.

Specifically, this is what I ‘BASHed:’

Y@AMD-WIN10-UPGRD:/mnt/c/Users/Fred/Downloads$ gpg --verify --keyring=./eos-image-keyring.gpg eos-eos3.5-amd64-amd64.190212-102038.en.iso.asc eos-amd64-amd64-en-3.5.6-iso.torrent

This was the return:

gpg: Signature made Tue 12 Feb 2019 06:27:52 AM STD using RSA key ID 587A279C
gpg: BAD signature from “Endless Image Signer 1 (EIS1) maintainers@endlessm.com

Some things are worth spending time on. This is NOT one of them. Time to move on. Bye Bye Endless, unless you can direct me to a clean ISO.


A local computer buddy pointed me the right direction: the signatureFile is compared to the ISO not the TORRENT file, which I incorrectly was doing.

In general,

gpg --verify --keyring {gpgFile} {SignatureAscFile} {isoFile}

So my entries:

$ gpg --list-keys --keyring=./eos-image-keyring.gpg ./eos-image-keyring.gpg


pub 4096R/587A279C 2014-11-04 [expires: 2024-11-01] uid Endless Image Signer 1 (EIS1) sub 4096R/FDCB56F4 2014-11-04 [expires: 2024-11-01]

And finally:

$ gpg --verify --keyring=./eos-image-keyring.gpg eos-eos3.5-amd64-amd64.190212-102038.en.iso.asc eos-eos3.5-amd64-amd64.190212-102038.en.iso


gpg: Signature made Tue 12 Feb 2019 06:27:52 AM STD using RSA key ID 587A279C
gpg: Good signature from "Endless Image Signer 1 (EIS1) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CB50 0F7B C923 3FAD 32B4 E720 9E0C 1250 587A 279C 

I don’t even want to know “This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner” means.

I am half-way there and now on to VirtualBox install.


Glad you were able to solve the problem. Evidently, we need to improve the instructions on that FAQ article!

May I ask how you downloaded the image the first time around, if not via BitTorrent? I ask because BitTorrent includes its own integrity checking, so if a (decent) BitTorrent client thinks the download has completed successfully, there’s quite a high chance that the file is valid.

This is normal, and is a consequence of using --keyring rather than performing a multiple-step dance where you:

a. import the GPG key into your GPG keyring
b. tell GPG that you trust the key
c. verify the image without --keyring

The important line is:

gpg: Good signature from “Endless Image Signer 1 (EIS1)”

ISSUE SOLVED! I have Endless now running in a Virtual Box.

I do NOT know what happened on the first try and why it didn’t work, but Windows 10 Firewall did complain about uTorrent/BitTorrent and warned some ‘features’ would be curtailed. I recall that the first ISO.TORRENT downloaded rather quickly as opposed to the 2nd try which took a couple of DAAYS!

We are in agreement that you need a clearer FAQ on the ISO download and that: “gpg: Good signature from ‘Endless Image Signer …’” is what we want! :grinning:

I like a challenge: the ISO download via the Torrent, PGP signature file, the verification process ====> ALL UNNECESSARY!. All I was looking for was a simple ‘hash.’ The PGP really threw me off.

I consider myself an above average computer user, but a Linux dunce.

The following might be helpful to others:

It turns out the Full ISO version starts off prompting for creating a Live USB Stick or ‘Reformatting’ my virtual drive in VirtualBox (Why on earth would one want yet another layer of a Live USB in VirtualBox???). I, of course, opted for the latter, reformatting of my virtual harddrive.

My purpose in trying Endless is that I want to see the 100 ready-made ‘educational content’ ‘Flatpak’ package and just how ‘Sandboxing’ is employed in Endless and Linux, in general.

This is my second visit to BASH for Windows, but my first successful usage. From what I gathered BASH for Windows doesn’t fully behave like a true Linux version and the Windows version is hard to edit.