Can't verify ISO signature

Hello everybody,

I have downloaded the manjaro-xfce-21.0.2-210419-linux510.iso file from Manjaro - XFCE.

I am totally ignorant of the process of verification of ISO images through cheksum and signature. I have read regarding the process from the web sources but couldn’t gather much. All I know is that it is a way to verify the integrity of the ISO image that we download.

I succeeded in verifying the cheksum SHA1. The information on the wiki was adequate to do it.

However, the information provided on the wiki did not help me in verifying the signature, so I am here. I don’t know if I am doing the things right or not.

I installed GPG with,

sudo pacman -S gnupg wget

Then I downloaded the keys from the Manjaro Developers from GitHub with;

wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg

Then I imported the keys with;

gpg --import manjaro.gpg

I issued all the above commands in the user’s terminal.

Then I opened a Terminal inside the folder where I had placed the ISO image and the signature file and verified the signature of the ISO image file by issuing the command;

gpg --verify manjaro-xfce-16.06-pre2-x86_64.iso.sig

I am getting this result;

$ gpg --verify manjaro-xfce-21.0.2-210419-linux510.iso.sig
gpg: assuming signed data in ‘manjaro-xfce-21.0.2-210419-linux510.iso’
gpg: Signature made Monday 19 April 2021 02:17:28 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Can’t check signature: No public key

Further, there is an option in the wiki which says;

"3.2 If you do not trust GitHub, import Philip Müller’s GPG key to your system (afterwards, select the key by entering its number and pressing ENTER): ".

However, forgive my ignorance about these things and bothering you guys with it. I don’t know how to import Philip Müller’s GPG key to my system. What is the command to import it?

Since I am totally ignorant of the entire verification process, I do not even know if I have to issue all these commands in the terminal opened inside the folder where I placed the ISO image and the signature file or do I have to do it in the user’s terminal?

I would greatly appreciate if someone could throw light upon this process and help verify the signature of the ISO I have downloaded.

If you could give the necessary commands and the information regarding whether to issue them inside the user’s terminal or inside the folder where the ISO and the signature file is placed, it would be helpful to users like me who are unaware of this entire process.

Thanks & Regards

gpg --recv-keys D8D56EC8

1 Like

In the user-terminal;

gpg --recv-keys D8D56EC8
gpg: key 279E7CF5D8D56EC8: public key “Manjaro Build Server build@manjaro.org” imported
gpg: Total number processed: 1
gpg: imported: 1

In the terminal opened inside the folder containing the iso and sig files.

$ gpg --verify manjaro-xfce-21.0.2-210419-linux510.iso.sig
gpg: assuming signed data in ‘manjaro-xfce-21.0.2-210419-linux510.iso’
gpg: Signature made Monday 19 April 2021 02:17:28 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from “Manjaro Build Server build@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8

Is that fine?

Yes, as far as verifying the authenticity of the .iso goes.

It is totally up to you whether or not to trust the key used to sign the .iso.

Some good info here and here.

2 Likes

Thanks merlock,

I will mark this as solved.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.