Signature verification

desertfox · 22 April 2021 01:04

Am still trying to verify Manjaro’s signatures. I keep getting this.

jerry@rommel:~$ gpg --verify manjaro-xfce-21.0.2-210419-linux510.iso.sig
gpg: assuming signed data in ‘manjaro-xfce-21.0.2-210419-linux510.iso’
gpg: Signature made Mon 19 Apr 2021 16:47:28 AWST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from “Manjaro Build Server build@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8

Love the bit about the good signature. Dont love the bits about ‘key not certified’ and There is no indication…’

Any help to get over this? Will not proceed if i cannot properly verify the signatures. (I’m certain I’m doing something wrong. I dont know what though)

merlock · 22 April 2021 03:10

Search can be your friend.

See my reply (with links).

Strit · 22 April 2021 04:39

The key you have, did indeed sign the file that you have = Good Signature.
It’s up to you, if you trust the signature or not.

desertfox · 22 April 2021 04:50

I think I will. Thanks for the tip.

alven · 7 December 2021 19:41

Whole process of verification from the start:

A person generate their private and public key pair.
A person got their private key and generates unique signature for each file of different content. Here we have signature of an ISO image.
A user should get public key of the person and can verify the signature using public key of a person to answer this: does a file which was gather from any source was last modified by the person or somehow/somebody else.

signature

I believe that was a typo, want to fix resulted misleading info:
it is not the subject to trust a signature or not, but only 100% valid or 100% invalid and is that easy to determine as run gpg --verify ....sig verification on that signature using the public key which expected to belong to the person.

But trust stuff here also the object to decide

the public key which expected to belong to the person

That’s the point. “Expected”. That’s the point to trust to the public key you previously imported before to verify signature or to do not trust to the public key.

That’s divided into two stages:
do you trust that:
a) a person who shared the key was really that person you are expect them to be.
b) the key was not modified after (a) stage, so the source where you got the key holds original key of the person as them uploaded the key into that source.

(a) and (b) are stuff to trust or not, not the signature.

Cause it was hard to find explanation what and how it works, that question “was asked in future” (in the future for this thread - a half of a year afterwards) and a bit later was explained in details there: Verification of Manjaro GPG signature - #24 by alven

linux-aarhus · 9 February 2022 16:47