Whole process of verification from the start:
- A person generate their private and public key pair.
- A person got their private key and generates unique signature for each file of different content. Here we have signature of an ISO image.
- A user should get public key of the person and can verify the signature using public key of a person to answer this: does a file which was gather from any source was last modified by the person or somehow/somebody else.
signature
I believe that was a typo, want to fix resulted misleading info:
it is not the subject to trust a signature or not, but only 100% valid or 100% invalid and is that easy to determine as run gpg --verify ....sig verification on that signature using the public key which expected to belong to the person.
But trust stuff here also the object to decide
the public key which expected to belong to the person
That’s the point. “Expected”. That’s the point to trust to the public key you previously imported before to verify signature or to do not trust to the public key.
That’s divided into two stages:
do you trust that:
a) a person who shared the key was really that person you are expect them to be.
b) the key was not modified after (a) stage, so the source where you got the key holds original key of the person as them uploaded the key into that source.
(a) and (b) are stuff to trust or not, not the signature.
Cause it was hard to find explanation what and how it works, that question “was asked in future” (in the future for this thread - a half of a year afterwards) and a bit later was explained in details there: Verification of Manjaro GPG signature - #24 by alven