What did I do wrong? Tried to verify a download and could't confirm integrity of file source

mark@mark-optiplex390 ~]$ cd Downloads
[mark@mark-optiplex390 Downloads]$ sha1sum manjaro-xfce-21.0.3-210428-linux510.iso
7d2c0fc26fcb48abcc4720c648838c56c2cf18cb  manjaro-xfce-21.0.3-210428-linux510.iso
[mark@mark-optiplex390 Downloads]$ wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
URL transformed to HTTPS due to an HSTS policy
--2021-05-02 04:08:58--  https://gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving gitlab.manjaro.org (gitlab.manjaro.org)... 195.201.101.32, 2a01:4f8:c2c:c956::1
Connecting to gitlab.manjaro.org (gitlab.manjaro.org)|195.201.101.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 175369 (171K) [text/plain]
Saving to: ‘manjaro.gpg’

manjaro.gpg         100%[===================>] 171.26K   352KB/s    in 0.5s    

2021-05-02 04:08:59 (352 KB/s) - ‘manjaro.gpg’ saved [175369/175369]

[mark@mark-optiplex390 Downloads]$ gpg --import manjaro.gpg
gpg: key FD847358FF20E35C: "Anupam Basak <anupam@manjaro.org>" not changed
gpg: key 5BD96CC4247B52CC: 1 signature not checked due to a missing key
gpg: key 5BD96CC4247B52CC: "Guillaume Benoit (Guinux) <guillaume@manjaro.org>" not changed
gpg: key CAA6A59611C7F07E: 3 signatures not checked due to missing keys
gpg: key CAA6A59611C7F07E: "Philip Müller (Called Little) <philm@manjaro.org>" not changed
gpg: key 363DFFFD59152F77: 1 signature not checked due to a missing key
gpg: key 363DFFFD59152F77: "Roland Singer (Manjaro Linux) <roland@manjaro.org>" not changed
gpg: key 2B80869C5C0102A6: 2 signatures not checked due to missing keys
gpg: key 2B80869C5C0102A6: "Rob McCathie <korrode@gmail.com>" not changed
gpg: key 8934292D604F8BA2: 1 signature not checked due to a missing key
gpg: key 8934292D604F8BA2: "Alexandru Ianu <alexandru@manjaro.org>" not changed
gpg: key 2C089F09AC97B894: 1 signature not checked due to a missing key
gpg: key 2C089F09AC97B894: "Ramon Buldó <ramon@manjaro.org>" not changed
gpg: key 137C934B5DCB998E: 1 signature not checked due to a missing key
gpg: key 137C934B5DCB998E: "artoo <flower_of_life@gmx.net>" not changed
gpg: key 62443D89B35859F8: 1 signature not checked due to a missing key
gpg: key 62443D89B35859F8: "artoo (manjaro.org) <flower_of_life@gmx.net>" not changed
gpg: key DAD3B211663CA268: 18 signatures not checked due to missing keys
gpg: key DAD3B211663CA268: "Bernhard Landauer <oberon@manjaro.org>" not changed
gpg: key 8DB9F8C18DF53602: 1 signature not checked due to a missing key
gpg: key 8DB9F8C18DF53602: "Stefano Capitani <stefano@manjaro.org>" not changed
gpg: key 7EC47C82A42D53A2: "kendell clark <kendell@manjaro.org>" not changed
gpg: key E3B3F44AC45EE0AA: "artoo-manjaro <artoo@manjaro.org>" not changed
gpg: key 9C08A255442FAFF0: "Jonathon Fernyhough <jonathon@manjaro.org>" not changed
gpg: key 17C752B61B2F2E90: "Frede Hundewadt <fh@manjaro.org>" not changed
gpg: key 8238651DDF5E0594: "Matti Hyttinen <matti@manjaro.org>" not changed
gpg: key 1817DC63CD3B5DF5: "Thanos Apostolou (manjaro maintainer) <thanos@manjaro.org>" not changed
gpg: key CEE477135C5872B0: 22 signatures not checked due to missing keys
gpg: key CEE477135C5872B0: "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" not changed
gpg: key 084A7FC0035B1D49: 1 duplicate signature removed
gpg: key 084A7FC0035B1D49: 9 signatures not checked due to missing keys
gpg: key 084A7FC0035B1D49: 1 signature reordered
gpg: key 084A7FC0035B1D49: "Dan Johansen (Manjaro) <strit@manjaro.org>" not changed
gpg: key 150C200743ED46D8: "Mark Wagie <mark@manjaro.org>" not changed
gpg: key 279E7CF5D8D56EC8: "Manjaro Build Server <build@manjaro.org>" not changed
gpg: key 70FBB189B338D5DF: 2 signatures not checked due to missing keys
gpg: key 70FBB189B338D5DF: "Manjaro-ARM Build Server <build-arm@manjaro-arm.org>" not changed
gpg: Total number processed: 22
gpg:              unchanged: 22
[mark@mark-optiplex390 Downloads]$ gpg --verify manjaro-xfce-21.0.3-210428-linux510.iso.sig
gpg: assuming signed data in 'manjaro-xfce-21.0.3-210428-linux510.iso'
gpg: Signature made Wed 28 Apr 2021 05:10:21 AM CDT
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8
[mark@mark-optiplex390 Downloads]$
1 Like

Hi @mlytle0,

  1. Please wrap any future posts’ console outputs/commands in 3 backticks (```). This will cause it to render like this,
Interdum erat diam consectetur
phasellus fusce congue euismod
arcu placerat placerat fusce tincidunt
maximus scelerisque purus a
tristique maecenas metus vel massa
congue facilisis morbi.

Consectetur metus leo metus tincidunt
tortor arcu vivamus consectetur metus
sed aliquam rutrum maximus vel orci
sed tortor tortor quam lorem quisque
nec leo consectetur.

instead of like this

Interdum erat diam consectetur phasellus fusce congue euismod arcu placerat placerat fusce tincidunt maximus scelerisque purus a tristique maecenas metus vel massa congue facilisis morbi.

Consectetur metus leo metus tincidunt tortor arcu vivamus consectetur metus sed aliquam rutrum maximus vel orci sed tortor tortor quam lorem quisque nec leo consectetur.

This just makes it a lot easier for those of us trying to help you, read it.

  1. Have a look at [HowTo] SHA self-checks an ISO, ARM-img.xz and any type of installer or file for batch (script)
2 Likes

Up to here, everything seems normal to me, it is the order to perform the calculation.
and below the result of the sha1 format.

the rest of the orders and exits seems to me an attempt to do the verification via the internet.

possibly the problem is the path to the file on the server.

Also, according to my own experience, the ISO versions that we download from the official website of manjaro is not the same as the server here:

I would say that the checks via the internet are not very reliable for now.

This indicates that the signature did indeed sign the file you have.
If you trust the signature or not is up to you.

PS: The Manjaro Build Server is what builds the ISO. :wink: