You are not logged in.

#1 2023-11-11 20:32:03

Ride Garcher
Member
Registered: 2023-09-30
Posts: 44

Verification of Arch iso [SOLVED]

Hi guys. I'm trying to install arch, again. But i'm not sure that the iso is ok.
I'm using Debian to verify. This is the bash:

richard@debian:/media/richard/eaed7b3d-6d18-41e7-afe9-872860130bfc/download$ gpg --verify archlinux-2023.11.01-x86_64.iso.sig archlinux-2023.11.01-x86_64.iso
gpg: Signature made Wed 01 Nov 2023 07:59:03 AM CET
gpg:                using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg:                issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C

I don't like this "WARNING: This key is not certified with a trusted signature!"

What should i do?

Last edited by Ride Garcher (2024-04-26 15:50:51)


Jr. Web developer

Offline

#2 2023-11-11 20:51:02

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,988

Re: Verification of Arch iso [SOLVED]

Ubuntu does not know who Pierre is, so they have not signed his key.   He does show up on our developer page, and we trust him.  You can see on the developer page https://archlinux.org/people/developers/ that that is the fingerprint of the key matches the one in the warning.

I think you are okay.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2023-11-11 20:56:14

Ride Garcher
Member
Registered: 2023-09-30
Posts: 44

Re: Verification of Arch iso [SOLVED]

Ok, thank you, but sorry, i'm still an amateur. Why does it act like that? Whether my key is secure or not, I'm trying to better understand how these systems work.


Jr. Web developer

Offline

#4 2023-11-11 21:13:22

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,988

Re: Verification of Arch iso [SOLVED]

At a low level, we can ensure that a downloaded file has not been modified through the use of checksums, cryptographic hashes, etc...   If the hash generated from the file you downloaded  does not match the one published by the person who made that file, you know the file changed.    But, how do we know that the person who made that file is who they say it is?  And how do we know if the real person is trustworthy?  Two different problems.  We can prove that the person is who they claim to be with pgp certificates.  If I signed a file, you could look up my certificate on line and use that certificate to prove to yourself that I signed it.   

gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]

.  Some guy named Pierre signed it, and the public signature for this person is correct.  But who the heck is he?  The guys at Ubuntu don't know.  No one at Ubuntu has used their personal cert, and their being a tusted member of the Ubuntu project, to sign Pierre's signature to say that Ubuntu trusts him. 

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

We know who Pierre is, and at least one person here has used their signature, and their being on the Arch Linux staff, to sign Pierre's signature and include it in the Arch Linux keyring.  It is in the package archlinux-keyring.   
To provide a method for someone not running Arch Linux to know that Pierre is trusted, we publishing his key signature so you can verify that this Pierre guy really is the same Pierre that Arch knows, trusts, and loves.

Last edited by ewaller (2023-11-11 21:15:52)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2023-11-11 22:56:13

Ride Garcher
Member
Registered: 2023-09-30
Posts: 44

Re: Verification of Arch iso [SOLVED]

Thank you very much!


Jr. Web developer

Offline

Board footer

Powered by FluxBB