I have downloaded the manjaro-xfce-21.0.2-210419-linux510.iso file from Manjaro - XFCE.
I am totally ignorant of the process of verification of ISO images through cheksum and signature. I have read regarding the process from the web sources but couldn’t gather much. All I know is that it is a way to verify the integrity of the ISO image that we download.
I succeeded in verifying the cheksum SHA1. The information on the wiki was adequate to do it.
However, the information provided on the wiki did not help me in verifying the signature, so I am here. I don’t know if I am doing the things right or not.
I installed GPG with,
sudo pacman -S gnupg wget
Then I downloaded the keys from the Manjaro Developers from GitHub with;
Then I imported the keys with;
gpg --import manjaro.gpg
I issued all the above commands in the user’s terminal.
Then I opened a Terminal inside the folder where I had placed the ISO image and the signature file and verified the signature of the ISO image file by issuing the command;
gpg --verify manjaro-xfce-16.06-pre2-x86_64.iso.sig
I am getting this result;
$ gpg --verify manjaro-xfce-21.0.2-210419-linux510.iso.sig
gpg: assuming signed data in ‘manjaro-xfce-21.0.2-210419-linux510.iso’
gpg: Signature made Monday 19 April 2021 02:17:28 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Can’t check signature: No public key
Further, there is an option in the wiki which says;
"3.2 If you do not trust GitHub, import Philip Müller’s GPG key to your system (afterwards, select the key by entering its number and pressing ENTER): ".
However, forgive my ignorance about these things and bothering you guys with it. I don’t know how to import Philip Müller’s GPG key to my system. What is the command to import it?
Since I am totally ignorant of the entire verification process, I do not even know if I have to issue all these commands in the terminal opened inside the folder where I placed the ISO image and the signature file or do I have to do it in the user’s terminal?
I would greatly appreciate if someone could throw light upon this process and help verify the signature of the ISO I have downloaded.
If you could give the necessary commands and the information regarding whether to issue them inside the user’s terminal or inside the folder where the ISO and the signature file is placed, it would be helpful to users like me who are unaware of this entire process.
Thanks & Regards