I just downloaded manjaro-kde-21.2pre1-minimal-211119-linux515.iso and its corresponding signature manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig from manjaro.org.
SHA1 sum verified successfully.
I imported the the gpg keys as per the tutorial at manjaro.org :-
>> wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
URL transformed to HTTPS due to an HSTS policy
--2021-11-23 19:14:46-- https://gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
SSL_INIT
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving gitlab.manjaro.org (gitlab.manjaro.org)... 195.201.101.32, 2a01:4f8:c2c:c956::1
Connecting to gitlab.manjaro.org (gitlab.manjaro.org)|195.201.101.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 183099 (179K) [text/plain]
Saving to: ‘manjaro.gpg’
>> gpg --import manjaro.gpg
I verified the manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig file :-
gpg --verify manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig ✔
gpg: assuming signed data in 'manjaro-kde-21.2pre1-minimal-211119-linux515.iso'
gpg: Signature made Friday 19 November 2021 09:19:00 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
What is this error ? gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
Why is it saying that the signature doesnt belong to the owner ?
I even tried :-
gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server
gpg: data source: http://162.213.33.8:11371
(1) Manjaro Build Server <build@manjaro.org>
3072 bit RSA key 279E7CF5D8D56EC8, created: 2020-10-28
(2) Manjaro CN Build Server <build@manjarocn.org>
263 bit EDDSA key 974B3711CFB9BF2D, created: 2021-04-06
(3) Manjaro-ARM Build Server <build@manjaro.org>
Manjaro-ARM Build Server <build-arm@manjaro-arm.org>
2048 bit RSA key 70FBB189B338D5DF, created: 2016-08-01
Keys 1-3 of 3 for "Manjaro Build Server". Enter number(s), N)ext, or Q)uit > 1
gpg: key 279E7CF5D8D56EC8: "Manjaro Build Server <build@manjaro.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Still the exact same result.
Can anyone help me ? Does the iso I downloaded contain a verified signature ?
No, it means that the operating system that you are using to verify the signature doesn’t have Manjaro’s keys signed. It is a harmless warning. You can sign Manjaro’s keys yourself to eliminate the warning.
I did pacman-key -v manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig
And got this result :-
==> Checking manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig... (detached)
gpg: Signature made Friday 19 November 2021 09:19:00 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Note: trustdb not writable
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
The signature is good ! My only question is what is this note : gpg: Note: trustdb not writable ?
Thanks for your time
The file you downloaded was verified to be signed by the Manjaro dev so you’re safe against a man-in-middle tempering during the download of the iso.
The warning, however, tells you that you, personally, did not actually verify that the downloaded key really belongs to the Manjaro Build Server. (Which you never will be able to.)
Why to be so happy when misleading yourself?
if pacman-key shows no problem with key, than why you that easy ignore the gpg's warning?
But I understand you:
many new info at the same time, not able to process all that in better quality.
Looks like that pacman-key is a wrapper for the gpg:
for the pacman-key --verbose manjaro-kde-21.2pre1-211119-linux515.iso.sig command
it’s create a new thread with the next command line:
OH, so pacman-key command just hides the warning that gpg was previously showing, interesting. I was a bit confused, so I am asking you, with my current gpg output, is the iso actually safe to use or do I have to do any additional steps ? Also can’t MITM attacks be avoided if I just download the using the official .torrent file ? I’m still learning ! Thanks for your answer
I live with that unresolved for me problem for a couple if years
Good signature? Hash sums matched. Ok. But I think it is weak behavior - not to understand fully.
You released new wave for the same unresolved question I have (you saw, I liked you question).
I thing that the problem is not that much, to use torrent shares only
I think the problem is in our current weakness of to search and to understand it fully.
Believe me, much better try to learn GNU/Linux and Manjaro closely: it is more useful on the current newbie stage: it is crucial part.
And after couple of years you will like a someone’s post who asks the same about gpg keys :))))
Save your efforts to be more productive and more developed in Linux stuff which you will use often instead of go deep into rare case of gpg and to get tired on this and to leave GNU/Linux eco-system
The warning can be ignored. Most of the OSs you check the signature has not a trust of that signature anyway. As long as it says it is a good signature it is good. More about web of trust here.
Beside the checksums the ISO only boots when it matches the internal checksums of each squashfs image on the ISO during bootup. It is pretty hard to temper with our ISOs.
If you really want to trust the software you can always create your own ISO with our tools.
And by the way a CI script is automatically create, sign and upload the ISOs. Our developers may only trigger the build.
