How to verify GPG key of community .ISO image?

,

I have seen the article: How-to verify GPG key of official .ISO images - Manjaro. However, that method doesn’t work for the i3wm version, at least. How can I verify the i3 minimal ISO image?

$ gpg --keyserver hkp://pool.sks-keyservers.net --search-keys 11C7F07E
gpg: data source: http://86.105.108.212:11371
(1)	Philip Müller (Called Little) <philm@manjaro.org>
	  2048 bit RSA key CAA6A59611C7F07E, created: 2012-05-05
Keys 1-1 of 1 for "11C7F07E".  Enter number(s), N)ext, or Q)uit > 1
gpg: key CAA6A59611C7F07E: public key "Philip Müller (Called Little) <philm@manjaro.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify latest-minimal.sig manjaro-i3-20.2-minimal-201209-linux59.iso 
gpg: Signature made 2020-12-09T22:40:10 CET
gpg:                using RSA key 39F0EC1AE50B37E5F3196F09DAD3B211663CA268
gpg: Can't check signature: No public key

This is probably happening because you didn’t complete step “3.1 Download all keys from the Manjaro Developers from GitHub” from the linked Manjaro Wiki page.
Because in this case you would have imported Bernhard Landauer’s key, who is the maintainer of the i3 edition and the person who build and signed the i3 minimal ISO (it wasn’t signed by Philip Müller).

So, you either have to import all Manjaro Developers keys from GitHub (see step 3.1 in the Wiki page), or import Bernhard Landauer’s key separately

gpg --keyserver hkp://pool.sks-keyservers.net --search-keys DAD3B211663CA268

and compare it to the one used to sign the ISO.

1 Like

Thanks a lot. That did the trick!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.