You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2016-05-09 05:48:44
- HussamAbdulaal
- Member
- Registered: 2016-05-09
- Posts: 2
[Solved] Verifying ISO through GPG
Hi,
I'm trying to verify the ISO image, and I had an ambiguous output. It's a good signature, but not trusted! Can any one explain the meaning of this output, and if it's okay for me to continue with the installation process.
gpg: Signature made Sun 01 May 2016 07:12:39 AM EET using RSA key ID 9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Last edited by HussamAbdulaal (2016-05-09 13:46:03)
Offline
#2 2016-05-09 05:52:01
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved] Verifying ISO through GPG
Offline
#3 2016-05-09 07:11:12
- HussamAbdulaal
- Member
- Registered: 2016-05-09
- Posts: 2
Re: [Solved] Verifying ISO through GPG
Thank you for the quick reply. I think my problem is resolved now.
Offline
#4 2016-05-09 07:14:46
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved] Verifying ISO through GPG
Please remember to mark your thread as [Solved] by editing your first post and prepending it to the title.
Offline
#5 2016-05-12 15:53:20
- beetlejayce
- Member
- Registered: 2016-05-12
- Posts: 2
Re: [Solved] Verifying ISO through GPG
Hi,
I m writing this post as I m trying to switch OS to ArchLinux.
I have downloaded a recent ISO image with the same signature as indicated in first post of this topic, Pierre Schmitz, which is referenced as a good signature by gnupg, a master key by the way.
However system reports that nothing ensure that signature has been established by his owner.
I have read the link https://pierre-schmitz.com/trust-the-master-keys/ , however I have difficulties to understand as when I further investigate sources:
- Full fingerprint (reported from my gnupg) for the signature is different as indicated on https://www.archlinux.org/master-keys/ refering to the signature owner
- my firefox module indicates SSL certificated by Let's encrypt instead of StartCom Ltd for the page https://www.archlinux.org/master-keys/
I m not familiar with security issues, I m switching from Ubuntu OS.
Thank you in advance from your help!
Offline
#6 2016-05-12 16:19:45
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,541
Re: [Solved] Verifying ISO through GPG
However system reports that nothing ensure that signature has been established by his owner.
Simply, this means that you have not personally verified that the signature actually belongs to who it says it does, and you have not personally verified anyone else's signature that has then verified the signature in question.
Offline
#7 2016-05-12 16:30:08
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [Solved] Verifying ISO through GPG
In the four years since that post, Arch Linux has switched to using Lets Encrypt for the affiliated websites. So that itself isn't very suspicious. 
As the blog post says, you should work out your own way of verifying the authenticity of the master keys posted at https://www.archlinux.org/master-keys/
*Some* methods are suggested there.
BTW, the iso + sig I just downloaded is definitely signed by Pierre Schmitz's signing key (not his master key!). That would be this one right here.
Again, it is up to you to establish independent verification that that is actually his signing key and not a fake. 
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#8 2016-05-12 16:47:39
- beetlejayce
- Member
- Registered: 2016-05-12
- Posts: 2
Re: [Solved] Verifying ISO through GPG
Ok, thanks for the answers, it's a bit clearer, I ll try further investigate on my own.
Offline
Pages: 1