Can't check ISO signature: No public key

fredvej · 3 March 2026 18:02

The public key for “Manjaro Build Server build@manjaro.org” is not in manjaro-keyring. I thought that I could verify the downloaded iso-file with the .sig file, but this happened:

$ gpg --verify manjaro-kde-26.0.3-minimal-260228-linux618.iso.sig
gpg: assuming signed data in 'manjaro-kde-26.0.3-minimal-260228-linux618.iso'
gpg: Signature made lør 28 feb 2026 03:45:07 CET
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Can't check signature: No public key

$ gpg --receive-keys 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: key 279E7CF5D8D56EC8: public key "Manjaro Build Server <build@manjaro.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify manjaro-kde-26.0.3-minimal-260228-linux618.iso.sig
gpg: assuming signed data in 'manjaro-kde-26.0.3-minimal-260228-linux618.iso'
gpg: Signature made lør 28 feb 2026 03:45:07 CET
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

Yochanan · 3 March 2026 19:31

The Manjaro Build Server key is indeed in the keyring.

Please see How-to verify GPG key of official .ISO images - Manjaro

Note that I’ve edited your topic title to reflect the actual problem.

linux-aarhus · 4 March 2026 06:43

To verify an ISO using a key in the manjaro-keyring.

pacman-key --verify manjaro-kde-26.0.3-minimal-260228-linux618.iso.sig

Example from my system

 $ pacman-key --verify manjaro-xfce-26.0.2-minimal-260206-linux618.iso.sig
==> Checking manjaro-xfce-26.0.2-minimal-260206-linux618.iso.sig... (detached)
gpg: Signature made fre 06 feb 2026 12:07:05 CET
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Note: trustdb not writable
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]

Takakage · 4 March 2026 07:22

Just to be explicitly clear, you have both a personal user keyring and a keyring that pacman uses. By default, gpg --verify uses your personal keyring.

notageek · 4 March 2026 14:54

How come? For me if I try to download kde minimal I still get 26.0.2…

linux-aarhus · 4 March 2026 15:34

[Stable Update] 2026-02-23 - Kernels, Mesa, Wine, Cosmic, GNOME, KDE Frameworks - #69 by terashy88

system · 7 March 2026 15:35

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.