Downloaded .iso (Manjaro installer) to check for its integrity. GPG, developers, public, keys,

Dyrr · 7 February 2021 22:10

Hi,
Myself seriously considers to start Manjaro use. I’m happy to had found this distro.
Installer .iso has been downloaded, also signature file.
How to find public yet valid keys of developers for use in that check?
There exists one wiki referring to Philip Müller, his public key of some hash.
However there are still open questions.
How to see public key presented in wiki I mean is Philip’s valid key?
Where to find keys of other developers - as wiki means key of any developer can be used?

References:
wiki: How-to verify GPG key of official .ISO images

Yochanan · 7 February 2021 23:36

I just updated the link in the wiki to the current manjaro.gpg file. Now you’ll be able to verify the ISO with up to date keys.

Dyrr · 8 February 2021 10:40

Thanks for message from you.
I am not sure how it resolves my questions:
How to find public yet valid keys of developers for use in that check?
How to see public key presented in wiki I mean is Philip’s valid key?
Where to find keys of other developers - as wiki means key of any developer can be used?

According to wiki public key of any developer can be used.
Myself grabbed for signature file at Manjaro GNOME download web page.

Yochanan · 8 February 2021 21:07

They’re now in your public keyring. You can list them like this:

gpg --list-keys

You can also install seahorse if you want a GUI.

❯ gpg --list-keys 11C7F07E
pub   rsa2048 2012-05-05 [SC]
      E4CD FE50 A2DA 85D5 8C8A  8C70 CAA6 A596 11C7 F07E
uid           [ unknown] Philip Müller (Called Little) <philm@manjaro.org>
sub   rsa2048 2012-05-05 [E]

You can see them in your keyring or search by name or key:

gpg --search-keys "Philip Müller"

Dyrr · 17 February 2021 22:21

Thanks for your kind efforts.

Isn’t it coincidentally checking some local storage? Will desired public keys be populated to storage addressed on default?
Same questions regarding next feedback. Also, following applies: you kindly propose use one single source. It wasn’t shown how to verify the only used source provides with true and valid data? Some additional yet trustful reference source is needed to verify.

Yochanan · 18 February 2021 01:52

Please see GPG documentation and man gpg for more info.

Dyrr · 21 March 2021 23:02

Does this mean GPG is set to appropriate external keys servers on default ? I doubt Philips public key is loaded to local keyring on default.

Yochanan · 21 March 2021 23:07

No, it’s already in Pacman’s keyring from manjaro-keyring.

Dyrr · 28 March 2021 13:16

This thread starts following way:

What have all guys going to start to use Manjaro in common?
Yes, they have no Manjaro.
They can’t use Manjaro to check downloaded iso to be authentic.
Wiki still helps however not to everyone. For those in situation as addressed here it’s gappy.
Also your kind last hint.

linux-aarhus · 9 February 2022 17:50