Mini guide to verify ISO signature
Signature explainer
A signature is file containing information on the entity the file originates from.
There is no need to import the signature beforehand - this will be done by the --verify process - in case it does not, use gpg to fetch it
gpg --recv-keys 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
The result of signature verification can be either Good or BAD.
Verification
To verify the origin of a Manjaro ISO download and place the two files next to eachother.
Verify the signature against the file
gpg --verify <filename.sig>
An ORIGINAL Manjaro ISO should originate from "Manjaro Build Server <build@manjaro.org>", so let us proceed to see if that is true. The emphasis on ORIGINAL is because the filename and the content does not designate an ISO originating from Manjaro.
Let me emphasize - spins are ok - it is fantastic that users make those spins and their work is greatly appreciated by community.
Anyone is free to make a Manjaro ISO and publish on the internet - just look to the Contributions folder Spins and SbK Spins.
So if you want to ensure you really know where the ISO is from - use the signature to verify it is a genuine Manjaro ISO - if in doubt - don’t use it or ask in the forum.
How To verify
The following illustrates the result of downloading and verifying, at time of writing 2023-08-21T22:00:00Z, the current cinnamon ISO
Prepare
Open a terminal and create a temporary folder, then navigate into the folder
mkdir ~/temp
cd ~/temp
It will also contain an example of how the signature will reveal if the ISO has been altered when comparing the iso and the signature.
The output is sampled from my system when I wrote this comment in another place
step 1 - fetch ISO
wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso
--2023-08-22 07:43:58-- https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving download.manjaro.org (download.manjaro.org)... 195.181.170.19, 156.146.33.141, 195.181.175.41, ...
Connecting to download.manjaro.org (download.manjaro.org)|195.181.170.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3837229056 (3,6G) [application/octet-stream]
Saving to: ‘manjaro-cinnamon-22.0-230104-linux61.iso’
manjaro-cinnamon-22.0-23010 100%[=========================================>] 3,57G 13,2MB/s in 4m 35s
2023-08-22 07:48:33 (13,3 MB/s) - ‘manjaro-cinnamon-22.0-230104-linux61.iso’ saved [3837229056/3837229056]
step 2 fetch signature
wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso.sig
--2023-08-22 07:48:45-- https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso.sig
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving download.manjaro.org (download.manjaro.org)... 156.146.33.137, 156.146.33.140, 195.181.175.15, ...
Connecting to download.manjaro.org (download.manjaro.org)|156.146.33.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 438 [application/octet-stream]
Saving to: ‘manjaro-cinnamon-22.0-230104-linux61.iso.sig’
manjaro-cinnamon-22.0-23010 100%[=========================================>] 438 --.-KB/s in 0s
2023-08-22 07:48:46 (15,8 MB/s) - ‘manjaro-cinnamon-22.0-230104-linux61.iso.sig’ saved [438/438]
step 3 verify signature
gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
gpg: assuming signed data in 'manjaro-cinnamon-22.0-230104-linux61.iso'
gpg: Signature made ons 04 jan 2023 12:37:36 CET
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
The key point to note is the line indicating good or bad
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
Showcasing a bad signature
To illustrate what happens if the signature does not match I took the minimal iso and copied it to match the signature file belonging to the full ISO as can be concluded from the folder listing
$ ls -l ~/temp
total 9180312
-rw-r--r-- 1 fh fh 2781693952 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso
-rw-r--r-- 1 fh fh 3837229056 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso.bak
-rw-r--r-- 1 fh fh 438 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso.sig
-rw-r--r-- 1 fh fh 2781693952 4 jan 2023 manjaro-cinnamon-22.0-minimal-230104-linux61.iso
Then I ran the verify command once more
gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
gpg: assuming signed data in 'manjaro-cinnamon-22.0-230104-linux61.iso'
gpg: Signature made ons 04 jan 2023 12:37:36 CET
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: BAD signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
It should be quite apparent that the file and the signature no longer match eachother.
Result to look for
The important part in the two outputs is
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: BAD signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
It doesn’t really matter if the key is trusted or known - what matters is that the file originates where it is expected to originate "Manjaro Build Server <build@manjaro.org>" and is unaltered while in transit.
This topic made me think about scripting the download and verification so I did.