Hi, I’m new to Linux so sorry if this has been asked before but I couldn’t find an answer in the existing topics or the topics had already been closed so I couldn’t continue in those threads.
I’ve downloaded both these files from Manjaro - Gnome
manjaro-gnome-21.2.5-220314-linux515.iso
manjaro-gnome-21.2.5-220314-linux515.iso.sig
I’ve managed to compare the SHA1 and it matches using…
certutil -hashfile manjaro-gnome-21.2.5-220314-linux515.iso SHA1
The download page also suggests checking the GPG signature and not to proceed if it fails. Now this is where I’m getting errors, so I’m not sure if I should go ahead and burn the ISO if it’s not a genuine file.
I downloaded a Windows application called gpg4win-4.0.0.exe to check this GPG signature but it comes back with an error message.
Verified ‘manjaro-gnome-21.2.5-220314-linux515.iso’ with ‘manjaro-gnome-21.2.5-220314-linux515.iso.sig’
The certificate could not be certified. Error: 1
Signature created on 14 March 2022 10:22:19
With unavailable certificate:
ID: 0x3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
You can search the certificate on a keyserver or import it from a file.
gpg: Signature made 14/03/2022 10:22:19 GMT Standard Time
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Can’t check signature: No public key
So I can’t verify if the ISO image is from the Manjaro Developers. Do I proceed with the installation as the SHA1 matches even though I can’t verify the GPG key? The download pages suggest not going any further if it fails this check.
the output says that the file IS verified using that signature
which has a certificate
which you:
… don’t have
… need to trust once you have it
Whether or not you do that (trusting it) is your decision.
Thanks, but I’m still confused about whether this has passed or not.
I’ve just downloaded a different .sig file
manjaro-gnome-21.2.5-minimal-220314-linux510.iso.sig and renamed it to match the original ISO file and re-ran the file check.
Now that comes up with exactly the same message. I was expecting a different error message since the .sig file was for a different ISO. The only different I can see is the signature date as it now says.
Signature created on 14 March 2022 10:12:45 instead of at 10:22:19.
But for both .sig files it says…
Verified ‘manjaro-gnome-21.2.5-220314-linux515.iso’ with ‘manjaro-gnome-21.2.5-220314-linux515.iso.sig’
There’s also this line which it says it’s can’t check the signature.
gpg: Can’t check signature: No public key
What public key is it looking for? I assumed that everything it needed to verify the ISO would be inside the .sig file I downloaded. Is that not the case?
It gave me 3 choices so I just went for option 1 - Manjaro Build Server build@majaro.org
It seems to have worked as it came back with
gpg: Total number processed: 1
gpg: imported: 1
Then running the command:
gpg --verify manjaro-gnome-21.2.5-220314-linux515.iso.sig manjaro-gnome-21.2.5-220314-linux515.iso
It responded with:
gpg: Good signature from "Manjaro Build Server build@manjaro.com [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
The GUI program also works with an almost identical message but it no longer has the error message “gpg: Can’t check signature: No public key”, so I guess it now has the missing key.
I don’t know what GUI you’re using but the gpg command worked and you have verified that the key you received from the keyserver generated the sig file which is the signature for the iso.