Has my ISO been verified? (GPG)

carpet · 10 August 2021 20:20

From my terminal:

mint@mint:/media/mint/HDD/Manjaro$ wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
--2021-08-10 19:57:21--  http://gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
Resolving gitlab.manjaro.org (gitlab.manjaro.org)... 195.201.101.32, 2a01:4f8:c2c:c956::1
Connecting to gitlab.manjaro.org (gitlab.manjaro.org)|195.201.101.32|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://gitlab.manjaro.org:443/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg [following]
--2021-08-10 19:57:21--  https://gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
Connecting to gitlab.manjaro.org (gitlab.manjaro.org)|195.201.101.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 179938 (176K) [text/plain]
Saving to: ‘manjaro.gpg’

manjaro.gpg         100%[===================>] 175.72K   739KB/s    in 0.2s    

2021-08-10 19:57:22 (739 KB/s) - ‘manjaro.gpg’ saved [179938/179938]

mint@mint:/media/mint/HDD/Manjaro$ gpg --import manjaro.gpg
gpg: keybox '/home/mint/.gnupg/pubring.kbx' created
gpg: key FD847358FF20E35C: 2 signatures not checked due to missing keys
gpg: /home/mint/.gnupg/trustdb.gpg: trustdb created
gpg: key FD847358FF20E35C: public key "Anupam Basak <anupam@manjaro.org>" imported
gpg: key 5BD96CC4247B52CC: 12 signatures not checked due to missing keys
gpg: key 5BD96CC4247B52CC: public key "Guillaume Benoit (Guinux) <guillaume@manjaro.org>" imported
gpg: key CAA6A59611C7F07E: 15 signatures not checked due to missing keys
gpg: key CAA6A59611C7F07E: public key "Philip Müller (Called Little) <philm@manjaro.org>" imported
gpg: key 363DFFFD59152F77: 11 signatures not checked due to missing keys
gpg: key 363DFFFD59152F77: public key "Roland Singer (Manjaro Linux) <roland@manjaro.org>" imported
gpg: key 2B80869C5C0102A6: 13 signatures not checked due to missing keys
gpg: key 2B80869C5C0102A6: public key "Rob McCathie <korrode@gmail.com>" imported
gpg: key 8934292D604F8BA2: 11 signatures not checked due to missing keys
gpg: key 8934292D604F8BA2: public key "Alexandru Ianu <alexandru@manjaro.org>" imported
gpg: key 2C089F09AC97B894: 10 signatures not checked due to missing keys
gpg: key 2C089F09AC97B894: public key "Ramon Buldó <ramon@manjaro.org>" imported
gpg: key 137C934B5DCB998E: 6 signatures not checked due to missing keys
gpg: key 137C934B5DCB998E: public key "artoo <flower_of_life@gmx.net>" imported
gpg: key 62443D89B35859F8: 6 signatures not checked due to missing keys
gpg: key 62443D89B35859F8: public key "artoo (manjaro.org) <flower_of_life@gmx.net>" imported
gpg: key DAD3B211663CA268: 24 signatures not checked due to missing keys
gpg: key DAD3B211663CA268: public key "Bernhard Landauer <oberon@manjaro.org>" imported
gpg: key 8DB9F8C18DF53602: 5 signatures not checked due to missing keys
gpg: key 8DB9F8C18DF53602: public key "Stefano Capitani <stefano@manjaro.org>" imported
gpg: key 7EC47C82A42D53A2: 4 signatures not checked due to missing keys
gpg: key 7EC47C82A42D53A2: public key "kendell clark <kendell@manjaro.org>" imported
gpg: key E3B3F44AC45EE0AA: 3 signatures not checked due to missing keys
gpg: key E3B3F44AC45EE0AA: public key "artoo-manjaro <artoo@manjaro.org>" imported
gpg: key 9C08A255442FAFF0: 2 signatures not checked due to missing keys
gpg: key 9C08A255442FAFF0: public key "Jonathon Fernyhough <jonathon@manjaro.org>" imported
gpg: key 17C752B61B2F2E90: 2 signatures not checked due to missing keys
gpg: key 17C752B61B2F2E90: public key "Frede Hundewadt <fh@manjaro.org>" imported
gpg: key 8238651DDF5E0594: 1 signature not checked due to a missing key
gpg: key 8238651DDF5E0594: public key "Matti Hyttinen <matti@manjaro.org>" imported
gpg: key 1817DC63CD3B5DF5: public key "Thanos Apostolou (manjaro maintainer) <thanos@manjaro.org>" imported
gpg: key CEE477135C5872B0: 22 signatures not checked due to missing keys
gpg: key CEE477135C5872B0: public key "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" imported
gpg: key 084A7FC0035B1D49: 11 signatures not checked due to missing keys
gpg: key 084A7FC0035B1D49: public key "Dan Johansen (Manjaro) <strit@manjaro.org>" imported
gpg: key 150C200743ED46D8: public key "Mark Wagie <mark@manjaro.org>" imported
gpg: key 279E7CF5D8D56EC8: public key "Manjaro Build Server <build@manjaro.org>" imported
gpg: key 70FBB189B338D5DF: 2 signatures not checked due to missing keys
gpg: key 70FBB189B338D5DF: public key "Manjaro-ARM Build Server <build-arm@manjaro-arm.org>" imported
gpg: key ABB2075D5F310CF8: public key "Jonas Strassel <info@jonas-strassel.de>" imported
gpg: Total number processed: 23
gpg:               imported: 23
gpg: no ultimately trusted keys found
mint@mint:/media/mint/HDD/Manjaro$ gpg --verify manjaro-ISO-image.iso.sig
gpg: can't open 'manjaro-ISO-image.iso.sig': No such file or directory
gpg: verify signatures failed: No such file or directory
mint@mint:/media/mint/HDD/Manjaro$ gpg --verify *.iso.sig
gpg: assuming signed data in 'manjaro-kde-21.0.7-210614-linux510.iso'
gpg: Signature made Mon 14 Jun 2021 03:34:23 PM UTC
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

anon59284200 · 11 August 2021 00:15

No, you need to import Manjaro’s public keys, like the error messages told you to do.

carpet · 11 August 2021 00:32

I thought this bit took care of that:

$ wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
gpg --import manjaro.gpg

I’m looking at https://wiki.manjaro.org/index.php/How-to_verify_GPG_key_of_official_.ISO_images and I’m still not sure where I made a mistake.

I skipped gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server, because it seemed optional. Is that what I missed?

anon59284200 · 11 August 2021 00:56

Try this. It’s from Arch Linux’s installation guide but should work on Manjaro.

 gpg --keyserver-options auto-key-retrieve --verify manjaro-kde-21.0.7-210614-linux510.iso.sig

carpet · 11 August 2021 03:12

Is the ISO good?

mint@mint:/media/mint/ISO/Manjaro$  gpg --keyserver-options auto-key-retrieve --verify manjaro-kde-21.0.7-210614-linux510.iso.sig
gpg: assuming signed data in 'manjaro-kde-21.0.7-210614-linux510.iso'
gpg: Signature made Mon 14 Jun 2021 03:34:23 PM UTC
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

Also, I did this again:

mint@mint:/media/mint/ISO/Manjaro$ gpg --verify *.iso.sig
gpg: assuming signed data in 'manjaro-kde-21.0.7-210614-linux510.iso'
gpg: Signature made Mon 14 Jun 2021 03:34:23 PM UTC
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

Fabby · 11 August 2021 10:02

You got:

Twice!

Anyway, if still don’t trust even that and you want to double-check, look at the sha1 of any download on Manjaro’s downloads page…

anon59284200 · 11 August 2021 18:06

Yes, that’s what the “Good signature from…” message verifies.

system · 26 August 2021 18:07

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.