Hi unixoid,
Your core questions about validating imported public keys is a deep security topic and it’s a really good question not many people realize.
Your core question is a security topic of Proof of Identity and this is closely related to the security topic of Authenticity.
What you’re doing by verifying the ISO with GPG key manjaro.gpg from the Manjaro gitlab is the concept of Authenticity.
How you make sure if the manjaro.gpg is really the public key from Manjaro (not being tampered during your download or just being a fake public key) is the concept of Proof of Identity.
In the simplest explanation, you can achieve Proof of Identity by:
- Having a trustworthy entity that has its own signature verifying public key securely transferred (to be specific, not tampered) to many computers.
- Ask that entity to sign your public key (in this case, your public key is a signature verifying public key) with the entity signature signing private key.
- The trustworthy entity checks your identity in the real life, whether you are who you’re claiming to be (like checking your national identity card, etc).
- You upload your signed public key along with the computed signature to some server.
- Other people download your signed public key with the signature.
- Other people make sure your public key is really from you and hasn’t been tampered in the download process by verifying the signature of your public key with the entity signature verifying public key that has been securely transferred beforehand.
In modern computer system, Proof of Identity is implemented as Public Key Infrastructure (PKI), the public key in PKI is in the form of Certificate. Certificate is a public key along with the user information and the trustworthy entity (who signs the public key) information.
The trustworthy entity is called Certificate Authority (CA) and the trustworthy entity certificate (signature verifying public key) is called Certificate Authority (CA) Certificate.
Your certificate (your public key) is signed by the CA’s signature signing private key.
In Windows and GNU/Linux, these CA certificates are already there during the OS installation, whether you install from live-CD/USB or the OS is already there when you buy from an OEM. Windows and GNU/Linux are responsible to ensure the CA certificates are transferred securely (to be specific, not being tampered) to the OS.
Web browser TLS protocol uses PKI to satisfy Proof of Identity of a target server.
Another Proof of Identity implementation is Web of Trust.
This is what GPG is based on.
In Web of Trust, the trusted entity can be any person and it’s up to you which persons you want to trust.
And anyone can ask anyone to sign their public key. It’s up to the signer how they validate your identity (ex by asking your national identity card, etc); whether you’re really who you’re claiming to be.
In reality, Web of Trust is kind of hard to implement; since the trusted entity is relative to anyone, this raise a question on how to securely transfer the trusted entity signature verifying public key to your computer.
Web of Trust isn’t popular as far as I know and it’s only there in PGP.
So in your case that the verification message:
“Files cannot be checked. Signature created on … with certificate Manjaro Build Server …”. You can search for certificate on keyserver …
Means that the gpg4win cannot verify the signature provided along with the manjaro.gpg; gpg4win cannot find the entity’s public key you trust.
Remember that gpg4win is a system of Web of Trust, not PKI.
I don’t remember how to perform these kind of Proof of Identity settings in GPG. Most of every day life, I use PKI system, like OpenSSL.
In general, you can just verify the Manjaro ISO with the manjaro.gpg without ever needed to verify the signature provided along with the manjaro.gpg. This is because when you download manjaro.gpg, you already use Transport Layer Security (TLS) protocol to download, and TLS already provides Proof of Identity (assuming the it’s the Manjaro admin who uploads the correct manjaro.gpg key and not somebody else). The Proof of Identity from TLS has something to do with the web page you’re trying to connect and it has nothing to do with the downloaded gpg key; the web broswer verifies the validity of the server you’re trying to connect by CA certificates. But, you can somewhat infer with moderate confidence, that since the web page really comes from GitLab and Manjaro handles the key, the key is really from Manjaro and hasn’t been tampered when you’re downloading it (TLS 1.2 - 1.3 provides confidentiality, authenticity, integrity, and proof of identity).
Overall this is only an over simplification explanation of TLS, Authenticity, Proof of Identity, Certificate, PKI, and Web of Trust. The topic itself is very big, and from my experience, not something you can easily learn from the internet (Wikipedia is the best so far for this topic). From my experience, this is something to be learnt from scattered textbooks and a daily basis of a security professional.