Verification of Manjaro GPG signature

  • I just downloaded manjaro-kde-21.2pre1-minimal-211119-linux515.iso and its corresponding signature manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig from

  • SHA1 sum verified successfully.

  • I imported the the gpg keys as per the tutorial at :-

>> wget
URL transformed to HTTPS due to an HSTS policy
--2021-11-23 19:14:46--
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving (, 2a01:4f8:c2c:c956::1
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 183099 (179K) [text/plain]
Saving to: ‘manjaro.gpg’

>> gpg --import manjaro.gpg
  • I verified the manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig file :-
gpg --verify manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig   ✔ 
gpg: assuming signed data in 'manjaro-kde-21.2pre1-minimal-211119-linux515.iso'
gpg: Signature made Friday 19 November 2021 09:19:00 PM IST
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8
  • What is this error ? gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
    Why is it saying that the signature doesnt belong to the owner ?

  • I even tried :-

gpg --keyserver --search-keys Manjaro Build Server
gpg: data source:
(1)     Manjaro Build Server <>
          3072 bit RSA key 279E7CF5D8D56EC8, created: 2020-10-28
(2)     Manjaro CN Build Server <>
          263 bit EDDSA key 974B3711CFB9BF2D, created: 2021-04-06
(3)     Manjaro-ARM Build Server <>
        Manjaro-ARM Build Server <>
          2048 bit RSA key 70FBB189B338D5DF, created: 2016-08-01
Keys 1-3 of 3 for "Manjaro Build Server".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 279E7CF5D8D56EC8: "Manjaro Build Server <>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Still the exact same result.

Can anyone help me ? Does the iso I downloaded contain a verified signature ?

1 Like

It just means that the GPG key for Manjaro hasn’t been signed by a trusted key on your system.

So, does this mean that the iso I downloaded from doesn’t have a trusted signature ? So I shouldn’t use this iso ??

Sorry, I am still fairly new to linux :slightly_smiling_face:

No, it means that the operating system that you are using to verify the signature doesn’t have Manjaro’s keys signed. It is a harmless warning. You can sign Manjaro’s keys yourself to eliminate the warning.

I am using Manjaro :-

neofetch >> OS: Manjaro Linux x86_64
                      kernel : 5.15

Thanks for your answer.

No, what OP is asking about has absolutely nothing to do with the operating system. The warning is straight forward.

No, it’s not harmless. If it was harmless, the GnuPG/PGP developers would’ve made that an informational-type statement, not a warning.

Don’t give that advice out without detailing what the drawbacks are in doing so.

A good read.


If you’re using Manjaro, you should use pacman-key to verify the ISO. Manjaro’s keys are already in pacman, so you don’t need to import them.

pacman-key -v filename.sig

If you still get the warning about untrusted keys, you have a bigger problem.

1 Like

Thanks for your answer ! I don’t really know much about this stuff, I will read the wikipedia article you provided :smiley:

1 Like

I did pacman-key -v manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig
And got this result :-

==> Checking manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig... (detached)
gpg: Signature made Friday 19 November 2021 09:19:00 PM IST
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Note: trustdb not writable
gpg: Good signature from "Manjaro Build Server <>" [full]

The signature is good ! My only question is what is this note : gpg: Note: trustdb not writable ?
Thanks for your time :smiley:

The file you downloaded was verified to be signed by the Manjaro dev so you’re safe against a man-in-middle tempering during the download of the iso.

The warning, however, tells you that you, personally, did not actually verify that the downloaded key really belongs to the Manjaro Build Server. (Which you never will be able to.)

1 Like

Thanks for your clarification :grin:

Why to be so happy when misleading yourself?
if pacman-key shows no problem with key, than why you that easy ignore the gpg's warning?
But I understand you:

many new info at the same time, not able to process all that in better quality.

Looks like that pacman-key is a wrapper for the gpg:
for the
pacman-key --verbose manjaro-kde-21.2pre1-211119-linux515.iso.sig command
it’s create a new thread with the next command line:

gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --status-fd 1 --verify manjaro-kde-21.2pre1-211119-linux515.iso.sig manjaro-kde-21.2pre1-211119-linux515.iso 

So it cuts gpg's info and just hides the actually present warning from you.

I was unable to find any single word to be wrong in merlock’s post above.


OH, so pacman-key command just hides the warning that gpg was previously showing, interesting. I was a bit confused, so I am asking you, with my current gpg output, is the iso actually safe to use or do I have to do any additional steps ? Also can’t MITM attacks be avoided if I just download the using the official .torrent file ? I’m still learning ! Thanks for your answer :smiley:

I live with that unresolved for me problem for a couple if years :slight_smile:
Good signature? Hash sums matched. Ok. But I think it is weak behavior - not to understand fully.
You released new wave for the same unresolved question I have (you saw, I liked you question).

I thing that the problem is not that much, to use torrent shares only :slight_smile:
I think the problem is in our current weakness of to search and to understand it fully.

Yea the sha1 hash matches. And this problem happening to you for years ! Well, I am still trying to figure this out :slightly_smiling_face:

yeah I agree, the key to this problem is to first understand it fully !!

Believe me, much better try to learn GNU/Linux and Manjaro closely: it is more useful on the current newbie stage: it is crucial part.
And after couple of years you will like a someone’s post who asks the same about gpg keys :))))

Save your efforts to be more productive and more developed in Linux stuff which you will use often instead of go deep into rare case of gpg and to get tired on this and to leave GNU/Linux eco-system :slight_smile:

1 Like

The warning can be ignored. Most of the OSs you check the signature has not a trust of that signature anyway. As long as it says it is a good signature it is good. More about web of trust here.

Beside the checksums the ISO only boots when it matches the internal checksums of each squashfs image on the ISO during bootup. It is pretty hard to temper with our ISOs.

If you really want to trust the software you can always create your own ISO with our tools.

And by the way a CI script is automatically create, sign and upload the ISOs. Our developers may only trigger the build.


Thanks for your clarification !

This is because the trust database is only writable by root, and you ran pacman-key as an ordinary user.