I’m going to install Manjaro Cinnamon soon on my solid state drive. I dual boot between two drives. I already verified the checksum on terminal. I was trying to check the Manjaro signature on Zorin Linux (since I don’t have any version of Manjaro yet)
I have the graphical interface (GPA) for GnuPG installed. For the button to import keys,
it opens a blank box with the question ‘Which key do you want to import?’
What do I enter in that box…a link…or file name?
You can see here where you would get the key: How-to verify GPG key of official .ISO images - Manjaro
Place the files side-by-side iso and signature
$ gpg --verify manjaro-kde-22.1.3-minimal-230529-linux61.iso.sig
gpg: assuming signed data in 'manjaro-kde-22.1.3-minimal-230529-linux61.iso'
gpg: Signature made man 29 maj 2023 11:46:55 CEST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
As described in the topic @megavolt linked you to - you may import the public key beforehand although it is not necessary.
I tried using terminal for signature verification. I got something like ‘command not recognized.’
So I am using the graphical interface for GnuPG, Do I just enter the Gitlabs (.gpg) file link in the box where it says ‘Which key do you want to import?’
I have never used any GUI so I cannot say what to do or what not to do.
check your spelling - don’t add the $ it is designating a user command line prompt and is always provided if the output is part of text - it could have been # to signify a root prompt.
$ gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/fh/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Place the files side by side - the iso and the signature.
Provide the real signature filename instead of the placeholder
gpg --verify <signature.sig>
Ok. Thanks. I’ll work with it this weekend or earlier when I have time. I’ll report back.
gtkhash is software with a GUI that has a small footprint and works well
checksums =/= signature
ahh…thanks. I am having trouble reading today.
This inquiry was under a previous unresolved discussion that was closed for some reason a few days ago (I had to remove the links from the text below)
Ok. I verified through terminal that I have GnuPG 2.2.19 installed.
Now I just ran the command to import the Manjaro Build Server GPG key and it returned the response below:
bluesbreaker@bluesbreaker-Z170XP-SLI:~$ gpg --keyserver keyserver.ubuntu --search-keys Manjaro Build Server
gpg: data source:
(1) Manjaro Build Server
3072 bit RSA key 279E7CF5D8D56EC8, created: 2020-10-28
(2) Manjaro CN Build Server
263 bit EDDSA key 974B3711CFB9BF2D, created: 2021-04-06
(3) Manjaro-ARM Build Server
Manjaro-ARM Build Server
2048 bit RSA key 70FBB189B338D5DF, created: 2016-08-01
Keys 1-3 of 3 for “Manjaro Build Server”. Enter number(s), N)ext, or Q)uit >
gpg: signal Interrupt caught … exiting
bluesbreaker@bluesbreaker-Z170XP-SLI:~$
It gives me three numbers. What key number do I select?
You don’t have to import keys to verify the signature.
But if you really want to - you could simply enter 1 as your response - in this case the number 1 would likely suffice.
Any topic - marked as solved - is closed a few days after the last comment - this is done to keep the forum clean and avoid unnecessary bumping.
I entered number 1 last night and it didn’t work. I’ll post the terminal response tonight after work.
I don’t know why it’s this hard to verify an ISO signature. It was easy on Linux Mint.
Please don’t mark this as solved yet.
I’ve merged the threads. If you didn’t mark the thread as solved, than I wonder who did? 
I may have mistakenly marked it as solved.
I used the procedure that was recommended to me. Still doesn’t work. It says ‘no such file or directory’ in the text response below. I tried all 3 key numbers.
bluesbreaker@bluesbreaker-Z170XP-SLI:~$ --search-keys Manjaro Build Server
gpg: data source:
(1) Manjaro Build Server build@manjaro.org
3072 bit RSA key 279E7CF5D8D56EC8, created: 2020-10-28
(2) Manjaro CN Build Server build@manjarocn.org
263 bit EDDSA key 974B3711CFB9BF2D, created: 2021-04-06
(3) Manjaro-ARM Build Server build@manjaro.org
Manjaro-ARM Build Server build-arm@manjaro-arm.org
2048 bit RSA key 70FBB189B338D5DF, created: 2016-08-01
Keys 1-3 of 3 for “Manjaro Build Server”. Enter number(s), N)ext, or Q)uit > 3
gpg: key 70FBB189B338D5DF: public key “Manjaro-ARM Build Server build@manjaro.org” imported
gpg: Total number processed: 1
gpg: imported: 1
bluesbreaker@bluesbreaker-Z170XP-SLI:~$ gpg --verify manjaro-ISO-image.iso.sig manjaro-ISO-image.iso
gpg: can’t open ‘manjaro-ISO-image.iso.sig’: No such file or directory
gpg: verify signatures failed: No such file or directory
It is not hard, you are just required to be more knowledgeable.
Perhaps … I haven’t checked Linux Mint for years …
But it is solved - you got the instructions - you just don’t apply the instructions correct.
Surely you need to use the filenames relevant to your usecase. The wiki is generic - the filenames change on every release.
As you already verified the checksum - and it passed - the ISO is complete - really no need to also verify the signature although the signature will confirm the ISO originates from the Manjaro Team or team members.
Since you already fetched both ISO and signature - open a terminal and navigate to the folder where you keep the downloaded files, and jump to step 3
The two files in the same folder - don’t import any keys - simply verify the signature against the file
gpg --verify <filename.sig>
If you want to start over then you can use wget to fetch the full ISO and the signature - then verify the download using the signature.
The output illustrates the result of running the commands on my system 2023-08-21T22:00:00Z to download and verify the current cinnamon ISO
wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso
07:43:47 ○ [fh@tiger] ~/temp
$ wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso
--2023-08-22 07:43:58-- https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving download.manjaro.org (download.manjaro.org)... 195.181.170.19, 156.146.33.141, 195.181.175.41, ...
Connecting to download.manjaro.org (download.manjaro.org)|195.181.170.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3837229056 (3,6G) [application/octet-stream]
Saving to: ‘manjaro-cinnamon-22.0-230104-linux61.iso’
manjaro-cinnamon-22.0-23010 100%[=========================================>] 3,57G 13,2MB/s in 4m 35s
2023-08-22 07:48:33 (13,3 MB/s) - ‘manjaro-cinnamon-22.0-230104-linux61.iso’ saved [3837229056/3837229056]
wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso.sig
07:48:33 ○ [fh@tiger] ~/temp
$ wget https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso.sig
--2023-08-22 07:48:45-- https://download.manjaro.org/cinnamon/22.0/manjaro-cinnamon-22.0-230104-linux61.iso.sig
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving download.manjaro.org (download.manjaro.org)... 156.146.33.137, 156.146.33.140, 195.181.175.15, ...
Connecting to download.manjaro.org (download.manjaro.org)|156.146.33.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 438 [application/octet-stream]
Saving to: ‘manjaro-cinnamon-22.0-230104-linux61.iso.sig’
manjaro-cinnamon-22.0-23010 100%[=========================================>] 438 --.-KB/s in 0s
2023-08-22 07:48:46 (15,8 MB/s) - ‘manjaro-cinnamon-22.0-230104-linux61.iso.sig’ saved [438/438]
gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
07:48:46 ○ [fh@tiger] ~/temp
$ gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
gpg: assuming signed data in 'manjaro-cinnamon-22.0-230104-linux61.iso'
gpg: Signature made ons 04 jan 2023 12:37:36 CET
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
The key point to note is the line indicating good or bad
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
To illustrate what happens if the signature does not match I took the minimal iso and renamed it to match the signature file
08:26:41 ○ [fh@tiger] ~/temp
$ ls -l
total 9180312
-rw-r--r-- 1 fh fh 2781693952 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso
-rw-r--r-- 1 fh fh 3837229056 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso.bak
-rw-r--r-- 1 fh fh 438 4 jan 2023 manjaro-cinnamon-22.0-230104-linux61.iso.sig
-rw-r--r-- 1 fh fh 2781693952 4 jan 2023 manjaro-cinnamon-22.0-minimal-230104-linux61.iso
Then run the verify command once more
gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
08:26:31 ○ [fh@tiger] ~/temp
$ gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
gpg: assuming signed data in 'manjaro-cinnamon-22.0-230104-linux61.iso'
gpg: Signature made ons 04 jan 2023 12:37:36 CET
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: BAD signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
It is quite obvious the file does not match the signature.
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: BAD signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
Ahh…ok. I can see this went downhill when I used the generic filename . I’ll run this again tomorrow night after work. And I’ll report back then. Thanks.
I figured it out! ISO signature verified.
I right clicked on the folder I created and selected open in terminal. Then I entered the verify command from step 3. Here it is below:
bluesbreaker@bluesbreaker-Z170XP-SLI:~/Downloads/manjaro-cinnamon-22.0-230104-linux61.iso.sig$ gpg --verify manjaro-cinnamon-22.0-230104-linux61.iso.sig
gpg: assuming signed data in ‘manjaro-cinnamon-22.0-230104-linux61.iso’
gpg: Signature made Wed 04 Jan 2023 04:37:36 AM MST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from “Manjaro Build Server build@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
Thanks very much, You guys gradually led me in the right direction.