Gpg for checking the iso file with manjaro KDE

Guys, I was trying to check my iso file with manjaro KDE for errors by using gpg file and I started doing things that were shown in this topic SHA256/512 sums for ISO images - Feature Request - Manjaro Linux Forum
(If you scroll down you will see the explanation on how to use it to check the iso file)

I stopped on the part, where I need to type number to choose the fingerprint and it was like
(Smb’s name) : processed
(The same name) : unchanged
And the list of fingerprints continued to 10-19

I thought it was okay and tried another command to finally check the iso file and it was the same thing as before: No public key

And, in this topic was written to find some information about the fingerprints so I did and found some websites related to that email (I searched for information about some email that was in the name of fingerprint)

The name of the person was Fernando Azenha.

And then, I believe that it’s a coincidence, the “Disks And Devices” from the panel had opened.
I very afraid of everything, especially losing my personal information and someone having control over my computer, so I thought that it was someone doing this and I got scared.

Mb it seems sooo stupid, but now I want to format all the drives on my computer and check it by the bootable usb drive with antivirus on it.

Guys, I’m new to Linux, I hope you will understand anything from this post and hope you will help me! Thanks!
(I’m not a native in English, sorry for the grammar)

Provide the output of gpg --verify <filename_of_iso.sig>

Deep breath…in…out…in…out.

You should be fine. You probably fat-fingered a command or mouse button.

It’s the output (There also I provided the next steps I did. When it asked me for the number of fingerprint I typed “1” and there it is):

[frowyy@LenovoV510-15IKB Downloads]$ gpg --verify manjaro-kde-20.2.1-210103-linux59.iso.sig
gpg: assuming signed data in ‘manjaro-kde-20.2.1-210103-linux59.iso’
gpg: Signature made Жк 03 Қаң 2021 16:28:41 +06
gpg: using RSA key E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E
gpg: issuer “philm@manjaro.org”
gpg: Can’t check signature: No public key
[frowyy@LenovoV510-15IKB Downloads]$ gpg --search-keys FINGERPRINT
gpg: data source: https://hkps.pool.sks-keyservers.net:443
(1) Fernando Azenha fazenha@fingerprint.com.br
3072 bit RSA key AED5AD4E48DF3F80, created: 2021-02-09, expires: 2023-02-09
(2) LD: R::000001, IID: 001 (Please check fingerprint before any confi
3072 bit RSA key 00923830739B36AF, created: 2021-01-22
(3) Zachary Goldstein (Lab #2 fingerprint key) zgoldste@syr.edu
2048 bit RSA key E693BADF6F0104F7, created: 2020-10-07
(4) Only use for OnionDotLiveFORT (Deutschland im Untergrund Admin phantas
4096 bit RSA key 205407D4D7EABFB1, created: 2020-07-28
(5) Jari Rantala (Replaces key with fingerprint D48A FCD9 FAC3 EB33 2C93 F
4096 bit RSA key EA73561734CAD995, created: 2019-12-06, expires: 2021-12-06
(6) Michael Scherz (Fingerprint) michael.scherz@metys-pharma.ch
4096 bit RSA key 58FAA3C33E5B4D54, created: 2019-10-27, expires: 2023-10-27
(7) Michael Scherz (Fingerprint) michael.scherz@metys-pharma.ch
4096 bit RSA key 39E3B661547972ED, created: 2019-10-27, expires: 2023-10-27
(8) Tomas Sekanina (gpgp fingerprint) tomas.sekanina@firma.seznam.cz
256 bit EDDSA key CFC8850A35CFD4C0, created: 2019-07-03
(9) Dariusz Piszczatowski dariuszp@dap-equity.net
Dariusz Piszczatowski (verify fingerprint at +48601252158) <dariuszp@d
256 bit EDDSA key B9D64F61E6EDB487, created: 2019-06-11
(10) Tornode 5p33dy (Fingerprint Tornode A295E0A4F175DD545676911A8B74C73740
256 bit EDDSA key CF43EDE1CF758D12, created: 2019-05-26
Keys 1-10 of 169 for “FINGERPRINT”. Enter number(s), N)ext, or Q)uit > 1
gpg: key AED5AD4E48DF3F80: “Fernando Azenha fazenha@fingerprint.com.br” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
(11) Georgiy Treyvus makesourcenotcode@gmail.com
Georgiy Treyvus (UID for me as a person not tied to any particular ema
8192 bit RSA key D46D6FAADC4DBC25, created: 2019-03-06, expires: 2021-07-30
(12) Romain Yermolov romain@yermolov.eu
Romain Yermolov (Second ID) romain@yermolov.eu
Romain Yermolov (Main ID) romain.yermolov@gmail.com
NEW KEY ID 5D8210136AB504CDFA68CEF0849F30516DC3F62E (https://keys.open
4096 bit RSA key 2E93804CED7F1232, created: 2019-02-10, expires: 2024-05-21 (revoked)
(13) Steven (Key maybe fake! Don’t forget to check fingerprint with me!) <n
4096 bit RSA key 78642419B6752C00, created: 2019-01-28
(14) StevenTang’s GPG Key (Don’t forget to check fingerprint with me!)
4096 bit RSA key EBCC13AD163E5BDA, created: 2019-01-28 (revoked)
(15) Tornode 5p33dy (Fingerprint Tornode: ED2F9ADDDB86BB41A96D2C0C877D05A27
2048 bit RSA key E21F1A71FF42BC25, created: 2019-01-04
(16) pellacanisimone2017@gmail.com (impronta digitale personanale fingerpri
4096 bit RSA key 92DF0BBE84E41624, created: 2018-11-29
(17) amministrazione@infrastruttureinformatiche.it (Impronta digitale perso
4096 bit RSA key 2C8612B825815F21, created: 2018-11-29, expires: 2018-11-29 (expired)
(18) morarity (gpg fingerprint) morarity2010@gmail.com
2048 bit RSA key A73E3063392E444E, created: 2018-09-17
Keys 11-18 of 169 for “FINGERPRINT”. Enter number(s), N)ext, or Q)uit >

You reassured me, thank you for the reply!
But what do you mean by “fat-fingered a command or mouse button”?
(edit: I searched for the meaning of “to fat-finger” and I got you, but I don’t think if I could somehow do it at that moment).

Btw right now was the same thing with “Disks and Devices” on the panel like it was before. It just opened up and closed by itself. Mb it’s because I have an unmounted usb and it wants me to do smth with it?

edit2: I understood one thing. Instead of “Fingerprint” I should have typed the key that I’ve got after the “gpg --verify manjaro-kde-20.2.1-210103-linux59.iso.sig” command:

[frowyy@LenovoV510-15IKB Downloads]$ gpg --search-keys E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E
gpg: data source: https://hkps.pool.sks-keyservers.net:443
(1) Philip Müller (Called Little) philm@manjaro.org
2048 bit RSA key CAA6A59611C7F07E, created: 2012-05-05
Keys 1-1 of 1 for “E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E”. Enter number(s), N)ext, or Q)uit > 1
gpg: key CAA6A59611C7F07E: public key “Philip Müller (Called Little) philm@manjaro.org” imported
gpg: Total number processed: 1
gpg: imported: 1
[frowyy@LenovoV510-15IKB Downloads]$ ls
manjaro-kde-20.2.1-210103-linux59.iso
manjaro-kde-20.2.1-210103-linux59.iso.sig
[frowyy@LenovoV510-15IKB Downloads]$ gpg --verify manjaro-kde-20.2.1-210103-linux59.iso.sig
gpg: assuming signed data in ‘manjaro-kde-20.2.1-210103-linux59.iso’
gpg: Signature made Жк 03 Қаң 2021 16:28:41 +06
gpg: using RSA key E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E
gpg: issuer “philm@manjaro.org”
gpg: Good signature from “Philip Müller (Called Little) philm@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A 8C70 CAA6 A596 11C7 F07E

(Is it fine that I’ve sent all these codes and fingerprints there in open access?)

When you copy/paste output from a terminal, surround the pasted text with 3 backticks:

```
your text
```

Which would look like this:

your text

The output of your command

is correct; it was looking for any ID with fingerprint.

I can’t help you with the Disks and Devices. You should open up a new thread for that, especially if your original question is answered.

Good luck.

Okay, I got it, thanks!

So there is no need to worry, right? The fact that I kind of verified the other unknown key won’t affect my computer, account? Stupid question but I have to ask, because I saw this How-to verify GPG key of official .ISO images - Manjaro page and there it goes: “3.2 If you do not trust GitHub, import Philip Müller’s GPG key to your system”. So, there may be a possibility of something going wrong with it? Mb this key don’t have such a connection with GitHub but I curious about what can happen if this key is untrusted. (The key I’m talking about is the Fernando Azenha’s one, that I chose when I typed “FINGERPRINT” in the command)

Still kind of scared of being hacked and someone having my account, but you have helped me a lot! I really appreciate it!

And yeah, there is nothing wrong that I have sent all these codes here in open access?

That’s talking about obtaining PM’s key from the github server.

If you imported Fernando Azenha’s public key by mistake…then it’s easy to fix:

gpg --delete-keys Fernando Azenha

Nope, nothing wrong. Other than the snoopers know you’ve requested/downloaded gpg keys.

[frowyy@LenovoV510-15IKB Downloads]$ gpg --delete-keys Fernando Azenha
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa3072/AED5AD4E48DF3F80 2021-02-09 Fernando Azenha <fazenha@fingerprint.com.br>

Delete this key from the keyring? (y/N) y
gpg: key "Azenha" not found: Not found
gpg: Azenha: delete key failed: Not found
[frowyy@LenovoV510-15IKB Downloads]$ 

It means that I didn’t even have this key? When I tried to add it Terminal said that this key was processed, but unchanged:

But when I tried to add PM’s key everything went alright

What’s the reason, in your opinion?
Sorry, too many quesions

Had a brain dump.

Delete using the fingerprint.

gpg --delete-keys AED5AD4E48DF3F80

I tried it too but the result is the same. I’m going to reinstall my OS so it will be deleted anyway.

Thanks for your help! I’m glad that there is people out there who can help! Best of luck!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.