Failed to Verify GPG key of official .ISO image in Windows 10

Hi, I’m new to Linux so sorry if this has been asked before but I couldn’t find an answer in the existing topics or the topics had already been closed so I couldn’t continue in those threads.

I’ve downloaded both these files from Manjaro - Gnome

I’ve managed to compare the SHA1 and it matches using…
certutil -hashfile manjaro-gnome-21.2.5-220314-linux515.iso SHA1

The download page also suggests checking the GPG signature and not to proceed if it fails. Now this is where I’m getting errors, so I’m not sure if I should go ahead and burn the ISO if it’s not a genuine file.

I downloaded a Windows application called gpg4win-4.0.0.exe to check this GPG signature but it comes back with an error message.

Verified ‘manjaro-gnome-21.2.5-220314-linux515.iso’ with ‘manjaro-gnome-21.2.5-220314-linux515.iso.sig’
The certificate could not be certified. Error: 1
Signature created on 14 March 2022 10:22:19
With unavailable certificate:
ID: 0x3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
You can search the certificate on a keyserver or import it from a file.
gpg: Signature made 14/03/2022 10:22:19 GMT Standard Time
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Can’t check signature: No public key

So I can’t verify if the ISO image is from the Manjaro Developers. Do I proceed with the installation as the SHA1 matches even though I can’t verify the GPG key? The download pages suggest not going any further if it fails this check.

Thanks for any help you can give.


gpg works differently than you might think

the output says that the file IS verified using that signature
which has a certificate
which you:
… don’t have
… need to trust once you have it
Whether or not you do that (trusting it) is your decision.

Thanks, but I’m still confused about whether this has passed or not.

I’ve just downloaded a different .sig file
manjaro-gnome-21.2.5-minimal-220314-linux510.iso.sig and renamed it to match the original ISO file and re-ran the file check.

Now that comes up with exactly the same message. I was expecting a different error message since the .sig file was for a different ISO. The only different I can see is the signature date as it now says.

Signature created on 14 March 2022 10:12:45 instead of at 10:22:19.

But for both .sig files it says…
Verified ‘manjaro-gnome-21.2.5-220314-linux515.iso’ with ‘manjaro-gnome-21.2.5-220314-linux515.iso.sig’

There’s also this line which it says it’s can’t check the signature.
gpg: Can’t check signature: No public key

What public key is it looking for? I assumed that everything it needed to verify the ISO would be inside the .sig file I downloaded. Is that not the case?

So this here was incorrect:

Have a look at this:

How-to verify GPG key of official .ISO images - Manjaro

especially the second to last sentence below #4

or this post

or find other explanations
I googled “gpg verify manjaro image”.

Thanks I’ve managed to get a bit further. Even though it’s written for Linux the command prompt on Windows did respond to…

gpg --keyserver --search-keys Manjaro Build Server

It gave me 3 choices so I just went for option 1 - Manjaro Build Server

It seems to have worked as it came back with
gpg: Total number processed: 1
gpg: imported: 1

Then running the command:
gpg --verify manjaro-gnome-21.2.5-220314-linux515.iso.sig manjaro-gnome-21.2.5-220314-linux515.iso

It responded with:
gpg: Good signature from "Manjaro Build Server [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

The GUI program also works with an almost identical message but it no longer has the error message “gpg: Can’t check signature: No public key”, so I guess it now has the missing key.

I don’t know what GUI you’re using but the gpg command worked and you have verified that the key you received from the keyserver generated the sig file which is the signature for the iso.

All is good.

1 Like

The program has installed itself as Kleopatra but the installation came from gpg4win-4.0.0.exe

Thanks for confirming this. I will go ahead with burning the ISO to a USB stick and start some testing.