I am using Manjaro :-
neofetch >> OS: Manjaro Linux x86_64
kernel : 5.15
Thanks for your answer.
No, what OP is asking about has absolutely nothing to do with the operating system. The warning is straight forward.
No, it’s not harmless. If it was harmless, the GnuPG/PGP developers would’ve made that an informational-type statement, not a warning.
Don’t give that advice out without detailing what the drawbacks are in doing so.
2 Likes
If you’re using Manjaro, you should use pacman-key to verify the ISO. Manjaro’s keys are already in pacman, so you don’t need to import them.
pacman-key -v filename.sig
If you still get the warning about untrusted keys, you have a bigger problem.
1 Like
Thanks for your answer ! I don’t really know much about this stuff, I will read the wikipedia article you provided 
1 Like
I did pacman-key -v manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig
And got this result :-
==> Checking manjaro-kde-21.2pre1-minimal-211119-linux515.iso.sig... (detached)
gpg: Signature made Friday 19 November 2021 09:19:00 PM IST
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Note: trustdb not writable
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
The signature is good ! My only question is what is this note : gpg: Note: trustdb not writable ?
Thanks for your time
The file you downloaded was verified to be signed by the Manjaro dev so you’re safe against a man-in-middle tempering during the download of the iso.
The warning, however, tells you that you, personally, did not actually verify that the downloaded key really belongs to the Manjaro Build Server. (Which you never will be able to.)
1 Like
Thanks for your clarification 
Why to be so happy when misleading yourself?
if pacman-key shows no problem with key, than why you that easy ignore the gpg's warning?
But I understand you:
many new info at the same time, not able to process all that in better quality.
Looks like that pacman-key is a wrapper for the gpg:
for the
pacman-key --verbose manjaro-kde-21.2pre1-211119-linux515.iso.sig command
it’s create a new thread with the next command line:
gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --status-fd 1 --verify manjaro-kde-21.2pre1-211119-linux515.iso.sig manjaro-kde-21.2pre1-211119-linux515.iso
So it cuts gpg's info and just hides the actually present warning from you.
I was unable to find any single word to be wrong in merlock’s post above.
2 Likes
OH, so pacman-key command just hides the warning that gpg was previously showing, interesting. I was a bit confused, so I am asking you, with my current gpg output, is the iso actually safe to use or do I have to do any additional steps ? Also can’t MITM attacks be avoided if I just download the using the official .torrent file ? I’m still learning ! Thanks for your answer
I live with that unresolved for me problem for a couple if years 
Good signature? Hash sums matched. Ok. But I think it is weak behavior - not to understand fully.
You released new wave for the same unresolved question I have (you saw, I liked you question).
I thing that the problem is not that much, to use torrent shares only
I think the problem is in our current weakness of to search and to understand it fully.
Yea the sha1 hash matches. And this problem happening to you for years ! Well, I am still trying to figure this out 
yeah I agree, the key to this problem is to first understand it fully !!
Believe me, much better try to learn GNU/Linux and Manjaro closely: it is more useful on the current newbie stage: it is crucial part.
And after couple of years you will like a someone’s post who asks the same about gpg keys :))))
Save your efforts to be more productive and more developed in Linux stuff which you will use often instead of go deep into rare case of gpg and to get tired on this and to leave GNU/Linux eco-system
1 Like
The warning can be ignored. Most of the OSs you check the signature has not a trust of that signature anyway. As long as it says it is a good signature it is good. More about web of trust here.
Beside the checksums the ISO only boots when it matches the internal checksums of each squashfs image on the ISO during bootup. It is pretty hard to temper with our ISOs.
If you really want to trust the software you can always create your own ISO with our tools.
And by the way a CI script is automatically create, sign and upload the ISOs. Our developers may only trigger the build.
3 Likes
Thanks for your clarification !
This is because the trust database is only writable by root, and you ran pacman-key as an ordinary user.
pacman-key uses pacman’s gpg database instead of the user’s. That’s why there was no warning of an untrusted key. Pacman already trusts Manjaro’s signing keys.
1 Like
That’s because pacman-key must be run with elevated permissions. See pacman/Package signing - ArchWiki
Note that the Arch Wiki article only specifically applies to Arch, however the same premise applies to Manjaro as well.
1 Like
I did a research of it and got the conclusion: it is the keyring setup-related issue (how you configure your local keyring to be), and can be ignored by user or could be fixed by a user in:
-) 2 ways for any OS,
-) one more way for Manjaro OS.
The issue origin
gpg --import imports keys into the local keyring by default located by ~/.gnupg path.
When gpg --verify finished and shows
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
it is already good and enough for a user to know that the verification passed successful on the file.
To add keys user selected their way to do it (according to current How-to verify GPG key of official .ISO images - Manjaro state, the sources of keys are:
a) wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
or
b) gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server)
The gpg app does not know are there user got the keys. The keys was added as unknown trust level.
So a user should configure the local key to be trusted or not - the keys was imported by user from trusted sourced or not. User should point the gpg local keyring database I trusted the key cause I trust that source, I know it is good.
That’s the point of warning message: keys was imported but still remains non-trusted by gpg's local keyring database.
2 ways on how this warning could be fixed on every OS, including Manjaro
Removing previous local keyring, creating local keyrings from the scratch and importing Manjaro keys:
~/Desktop ❯ rm -r ~/.gnupg
~/Desktop ❯ ls -A1 ~/.gnupg
ls: cannot access '/home/m/.gnupg': No such file or directory
~/Desktop ❯ gpg --import manjaro.gpg
...
gpg: Total number processed: 24
gpg: imported: 24
gpg: no ultimately trusted keys found
~/Desktop ❯ ls -A1 ~/.gnupg
private-keys-v1.d
pubring.kbx
pubring.kbx~
trustdb.gpg
Let’s see how just imported keys works:
~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
OK, we got that warning.
I know that currently the ISO images sings by the Manjaro Build Server signature.
Let’s check it:
~/Desktop ❯ gpg --list-keys "Manjaro Build Server"
pub rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid [ unknown] Manjaro Build Server <build@manjaro.org>
sub rsa3072 2020-10-28 [E] [expires: 2022-10-28]
We see the unknown value of the trust level property of the key.
Now it’s time to chose the way we will fix it by:
Way 1: Locally sign this public key
~/Desktop ❯ gpg --lsign-key "Manjaro Build server"
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: unknown validity: unknown
sub rsa3072/890DF5D5A286BBC1
created: 2020-10-28 expires: 2022-10-28 usage: E
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
gpg: no default secret key: No secret key
Key not changed so no update needed.
~/Desktop ❯ gpg --list-secret-keys
~/Desktop ❯
~/Desktop ❯ gpg --generate-key
gpg (GnuPG) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: my_name
Email address: my_address@my_server.domain
You selected this USER-ID:
"my_name <my_address@my_server.domain>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 80CD95D88E9ACE3A marked as ultimately trusted
gpg: directory '/home/m/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/m/.gnupg/openpgp-revocs.d/425BAF5A3EDE656FF81F165480CD95D88E9ACE3A.rev'
public and secret key created and signed.
pub rsa3072 2021-12-05 [SC] [expires: 2023-12-05]
425BAF5A3EDE656FF81F165480CD95D88E9ACE3A
uid my_name <my_address@my_server.domain>
sub rsa3072 2021-12-05 [E] [expires: 2023-12-05]
~/Desktop ❯ gpg --lsign-key "Manjaro Build server"
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-12-05
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: unknown validity: unknown
sub rsa3072/890DF5D5A286BBC1
created: 2020-10-28 expires: 2022-10-28 usage: E
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F 4171 279E 7CF5 D8D5 6EC8
Manjaro Build Server <build@manjaro.org>
This key is due to expire on 2022-10-28.
Are you sure that you want to sign this key with your
key "my_name <my_address@my_server.domain>" (80CD95D88E9ACE3A)
The signature will be marked as non-exportable.
Really sign? (y/N) y
~/Desktop ❯ gpg --list-keys "Manjaro Build server"
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2022-10-28
pub rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid [ full ] Manjaro Build Server <build@manjaro.org>
sub rsa3072 2020-10-28 [E] [expires: 2022-10-28]
~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
~/Desktop ❯
or
Way 2: Set trust level for the key
~/Desktop ❯ gpg --edit-key "Manjaro Build server"
gpg (GnuPG) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: unknown validity: unknown
sub rsa3072/890DF5D5A286BBC1
created: 2020-10-28 expires: 2022-10-28 usage: E
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
gpg> trust
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: unknown validity: unknown
sub rsa3072/890DF5D5A286BBC1
created: 2020-10-28 expires: 2022-10-28 usage: E
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa3072/279E7CF5D8D56EC8
created: 2020-10-28 expires: 2022-10-28 usage: SC
trust: ultimate validity: unknown
sub rsa3072/890DF5D5A286BBC1
created: 2020-10-28 expires: 2022-10-28 usage: E
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
~/Desktop ❯ gpg --list-keys "Manjaro Build server"
pub rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid [ultimate] Manjaro Build Server <build@manjaro.org>
sub rsa3072 2020-10-28 [E] [expires: 2022-10-28]
~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-10-28
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [ultimate]
Conclusion:
To prevent the warning, a user should point the gpg key database to trust the key or not: only user knows which way was chosen to get these public keys before to import them into local keyring database. gpg just imports them and does not know to trust it or not - a user should point it to the gpg key database.
So when a user finds any public key, it is their responsibility to get a key from trusted-by-that-user origin. User should choose a source there to get a public key.
These 2 ways are universal and could be used in all OS.
Note, that some OS has different default path for gpg keys.
Way 3: verify ISO file on Manjaro OS
If you have Manjaro LiveCD or Manjaro OS installed, you have pre-configured local keyring database: you do not need to gpg --import them, cause keyring already was created and came to you with the manjaro-keyrings package pre-installed.
These keys located by the /etc/pacman.d/gnupg path.
Instead if configuring another home folder of gpg instead it default and some other options, you can use simplified and adapted API if pacman-key pre-configured wrapper for the gpg with pre-defined (already bound) options in it.
It is a part of pacman package:
~/Desktop ❯ which pacman-key
/usr/bin/pacman-key
~/Desktop ❯ pacman -Qo $(which pacman-key)
/usr/bin/pacman-key is owned by pacman 6.0.1-2
Let’s check what do we have there:
~/Desktop ❯ ls -A1 /etc/pacman.d/gnupg
gpg-agent.conf
gpg.conf
.gpg-v21-migrated
openpgp-revocs.d
private-keys-v1.d
pubring.gpg
pubring.gpg~
secring.gpg
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh
tofu.db
trustdb.gpg
~/Desktop ❯ sudo pacman-key --list-keys "Manjaro Build Server"
pub rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid [ full ] Manjaro Build Server <build@manjaro.org>
sub rsa3072 2020-10-28 [E] [expires: 2022-10-28]
OK, we already have all keys (including from Manjaro Build Server) and they are ready to use:
~/Desktop ❯ sudo pacman-key --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
==> Checking images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig... (detached)
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg: using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
~/Desktop ❯
Conclusion:
you can verify ISO image signature on Manjaro OS via pre-configured pacman-key wrapper of gpg.
So that post payload is
a) describes in details the origin of the warning and how key works;
b) not pointing just “yes”/“no”, but proves why the next statements-only was right:
1 Like
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.