Verification of Manjaro GPG signature

pacman-key uses pacman’s gpg database instead of the user’s. That’s why there was no warning of an untrusted key. Pacman already trusts Manjaro’s signing keys.

1 Like

That’s because pacman-key must be run with elevated permissions. See pacman/Package signing - ArchWiki

Note that the Arch Wiki article only specifically applies to Arch, however the same premise applies to Manjaro as well.

1 Like

I did a research of it and got the conclusion: it is the keyring setup-related issue (how you configure your local keyring to be), and can be ignored by user or could be fixed by a user in:
-) 2 ways for any OS,
-) one more way for Manjaro OS.


The issue origin

gpg --import imports keys into the local keyring by default located by ~/.gnupg path.
When gpg --verify finished and shows

gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]

it is already good and enough for a user to know that the verification passed successful on the file.

To add keys user selected their way to do it (according to current How-to verify GPG key of official .ISO images - Manjaro state, the sources of keys are:
a) wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
or
b) gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server)

The gpg app does not know are there user got the keys. The keys was added as unknown trust level.

So a user should configure the local key to be trusted or not - the keys was imported by user from trusted sourced or not. User should point the gpg local keyring database I trusted the key cause I trust that source, I know it is good.

That’s the point of warning message: keys was imported but still remains non-trusted by gpg's local keyring database.


2 ways on how this warning could be fixed on every OS, including Manjaro

Removing previous local keyring, creating local keyrings from the scratch and importing Manjaro keys:

~/Desktop ❯ rm -r ~/.gnupg
~/Desktop ❯ ls -A1 ~/.gnupg                  
ls: cannot access '/home/m/.gnupg': No such file or directory
~/Desktop ❯ gpg --import manjaro.gpg                                 
...
gpg: Total number processed: 24
gpg:               imported: 24
gpg: no ultimately trusted keys found
~/Desktop ❯ ls -A1 ~/.gnupg         
private-keys-v1.d
pubring.kbx
pubring.kbx~
trustdb.gpg

Let’s see how just imported keys works:

~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

OK, we got that warning.
I know that currently the ISO images sings by the Manjaro Build Server signature.
Let’s check it:

~/Desktop ❯ gpg --list-keys "Manjaro Build Server"
pub   rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
      3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid           [ unknown] Manjaro Build Server <build@manjaro.org>
sub   rsa3072 2020-10-28 [E] [expires: 2022-10-28]

We see the unknown value of the trust level property of the key.

Now it’s time to chose the way we will fix it by:

Way 1: Locally sign this public key
~/Desktop ❯ gpg --lsign-key "Manjaro Build server"                                          

pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: unknown       validity: unknown
sub  rsa3072/890DF5D5A286BBC1
     created: 2020-10-28  expires: 2022-10-28  usage: E   
[ unknown] (1). Manjaro Build Server <build@manjaro.org>

gpg: no default secret key: No secret key

Key not changed so no update needed.
~/Desktop ❯ gpg --list-secret-keys                
~/Desktop ❯ 
~/Desktop ❯ gpg --generate-key    
gpg (GnuPG) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: my_name
Email address: my_address@my_server.domain
You selected this USER-ID:
    "my_name <my_address@my_server.domain>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 80CD95D88E9ACE3A marked as ultimately trusted
gpg: directory '/home/m/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/m/.gnupg/openpgp-revocs.d/425BAF5A3EDE656FF81F165480CD95D88E9ACE3A.rev'
public and secret key created and signed.

pub   rsa3072 2021-12-05 [SC] [expires: 2023-12-05]
      425BAF5A3EDE656FF81F165480CD95D88E9ACE3A
uid                      my_name <my_address@my_server.domain>
sub   rsa3072 2021-12-05 [E] [expires: 2023-12-05]
~/Desktop ❯ gpg --lsign-key "Manjaro Build server"

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-12-05
pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: unknown       validity: unknown
sub  rsa3072/890DF5D5A286BBC1
     created: 2020-10-28  expires: 2022-10-28  usage: E   
[ unknown] (1). Manjaro Build Server <build@manjaro.org>


pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

     Manjaro Build Server <build@manjaro.org>

This key is due to expire on 2022-10-28.
Are you sure that you want to sign this key with your
key "my_name <my_address@my_server.domain>" (80CD95D88E9ACE3A)

The signature will be marked as non-exportable.

Really sign? (y/N) y
~/Desktop ❯ gpg --list-keys "Manjaro Build server"                                                   
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2022-10-28
pub   rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
      3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid           [  full  ] Manjaro Build Server <build@manjaro.org>
sub   rsa3072 2020-10-28 [E] [expires: 2022-10-28]
~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
~/Desktop ❯ 

or

Way 2: Set trust level for the key
~/Desktop ❯ gpg --edit-key "Manjaro Build server" 
gpg (GnuPG) 2.2.32; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: unknown       validity: unknown
sub  rsa3072/890DF5D5A286BBC1
     created: 2020-10-28  expires: 2022-10-28  usage: E   
[ unknown] (1). Manjaro Build Server <build@manjaro.org>

gpg> trust
pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: unknown       validity: unknown
sub  rsa3072/890DF5D5A286BBC1
     created: 2020-10-28  expires: 2022-10-28  usage: E   
[ unknown] (1). Manjaro Build Server <build@manjaro.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa3072/279E7CF5D8D56EC8
     created: 2020-10-28  expires: 2022-10-28  usage: SC  
     trust: ultimate      validity: unknown
sub  rsa3072/890DF5D5A286BBC1
     created: 2020-10-28  expires: 2022-10-28  usage: E   
[ unknown] (1). Manjaro Build Server <build@manjaro.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit
~/Desktop ❯ gpg --list-keys "Manjaro Build server"                                                   
pub   rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
      3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid           [ultimate] Manjaro Build Server <build@manjaro.org>
sub   rsa3072 2020-10-28 [E] [expires: 2022-10-28]
~/Desktop ❯ gpg --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
gpg: assuming signed data in 'images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso'
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-10-28
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [ultimate]

Conclusion:
To prevent the warning, a user should point the gpg key database to trust the key or not: only user knows which way was chosen to get these public keys before to import them into local keyring database. gpg just imports them and does not know to trust it or not - a user should point it to the gpg key database.
So when a user finds any public key, it is their responsibility to get a key from trusted-by-that-user origin. User should choose a source there to get a public key.

These 2 ways are universal and could be used in all OS.
Note, that some OS has different default path for gpg keys.


Way 3: verify ISO file on Manjaro OS

If you have Manjaro LiveCD or Manjaro OS installed, you have pre-configured local keyring database: you do not need to gpg --import them, cause keyring already was created and came to you with the manjaro-keyrings package pre-installed.

These keys located by the /etc/pacman.d/gnupg path.

Instead if configuring another home folder of gpg instead it default and some other options, you can use simplified and adapted API if pacman-key pre-configured wrapper for the gpg with pre-defined (already bound) options in it.

It is a part of pacman package:

~/Desktop ❯ which pacman-key
/usr/bin/pacman-key
~/Desktop ❯ pacman -Qo $(which pacman-key)
/usr/bin/pacman-key is owned by pacman 6.0.1-2

Let’s check what do we have there:

~/Desktop ❯ ls -A1 /etc/pacman.d/gnupg 
gpg-agent.conf
gpg.conf
.gpg-v21-migrated
openpgp-revocs.d
private-keys-v1.d
pubring.gpg
pubring.gpg~
secring.gpg
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh
tofu.db
trustdb.gpg
~/Desktop ❯ sudo pacman-key --list-keys "Manjaro Build Server"                  
pub   rsa3072 2020-10-28 [SC] [expires: 2022-10-28]
      3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
uid           [  full  ] Manjaro Build Server <build@manjaro.org>
sub   rsa3072 2020-10-28 [E] [expires: 2022-10-28]

OK, we already have all keys (including from Manjaro Build Server) and they are ready to use:

~/Desktop ❯ sudo pacman-key --verify images/stable\ images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig
==> Checking images/stable images_old/manjaro-kde-21.1.6-minimal-211017-linux513.iso.sig... (detached)
gpg: Signature made Sun 17 Oct 2021 20:36:55 MSK
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [full]
~/Desktop ❯ 

Conclusion:
you can verify ISO image signature on Manjaro OS via pre-configured pacman-key wrapper of gpg.


So that post payload is

a) describes in details the origin of the warning and how key works;
b) not pointing just “yes”/“no”, but proves why the next statements-only was right:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.