Manjaro-kde-21.0.7-210614-linux510 gpg and sha1 verification gives Bad Signature

bevsxyz · 17 August 2021 07:56

Hi,

I had downloaded the current manjaro-kde-21.0.7-210614-linux510.iso file. I tried to verify it with sha1 and the codes do not match.

742707d04a9e6297f3d174d3ea0c62e7ad4b39aa manjaro-kde-21.0.7-210614-linux510.iso

The sha1 from website is SHA1: 43f0f573d6c5d089cd280b622f228d1ea2933cf8

Also I tried the gpg verification with the given signature, which gives me the following bad signature error:

$ gpg --verify manjaro-kde-21.0.7-210614-linux510.iso.sig                                       
gpg: assuming signed data in 'manjaro-kde-21.0.7-210614-linux510.iso'
gpg: Signature made Monday 14 June 2021 09:04:23 PM IST
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: BAD signature from "Manjaro Build Server <build@manjaro.org>" [unknown]

bevsxyz · 17 August 2021 07:58

I am on gnome and wanted to check out KDE with a fresh install. Now I am not sure if I can trust the iso. Is it just that the signatures are not updated as stated in some other threads, or is this a serious security flaw?

Strit · 17 August 2021 08:08

Could be a failed download.

Try downloading it again.

bevsxyz · 17 August 2021 08:19

It was a failed copy. I had ejected the drive when it showed 100% on my phone. I verified it now, and it matches. Sorry that I got a bit paranoid. I was worried that I’d have to wait a few more days to download it over my mobile network fully. Thanks for the quick reply, btw!

system · 19 August 2021 22:19

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.