You are not logged in.
- Topics: Active | Unanswered
#1 2024-11-03 21:20:27
- le_grande_castel
- Member
- Registered: 2022-05-16
- Posts: 10
Arch ISO signature does not match. What to do?
Hello
I downloaded the arch .iso from 2024.11.01 from both BitTorrent Downloads on the official page, and a mirror (chroot.ro) from my country. All of these were found on the official page: https://archlinux.org/download/
I downloaded the corresponding signature and the key is different! First, I checked with KDE's ISO Image Writer, which automatically does the checking if both the .iso and the .iso.sig are in the same directory. I get a pop-up saying "Uses wrong signature". Then, I checked using the sha256sum command on the .iso, and I got a different signature from the one on the website.
I obviously did not proceed with my installation. I made this post to 1) raise awareness if this is an issue and 2) ask what the potential consequences of this are? This is actually the first time I verify an iso signature, did it just happen that I got this problem now, or is this a more common issue?
Should I wait until a new iso is uploaded, or proceed with my installation?
Offline
#2 2024-11-03 21:48:26
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,332
- Website
Re: Arch ISO signature does not match. What to do?
Hello.
Don’t follow with the installation. But for reasons other than security.
To start with, I would not panic. Any adversary would need to go great lengths to plant malicious content in your download, if you observe that on both download methods. That is something I would put further down the list of possible explanations.
Avoid installation, because the file seems damaged and there has to be a reason for that. That reason may be unstable hardware.
To go step by step, let’s begin with the signature. I don’t know KDE’s ISO Image Writer, so I don’t know what messages it displays, but “Uses wrong signature” may mean many things. Starting with you not having the public key of Pierre Schmitz. If it’s not in your own keyring, the signature can’t be verified. Moreover, some software may wrongly report a good signature from an untrusted key as invalid.
Second, please post the complete output of checking the integrity with SHA-256:
$ sha256sum archlinux-2024.11.01-x86_64.iso
bceb3dded8935c1d3521c475a69ae557e082839b46d921c8b400524470b5c965 archlinux-2024.11.01-x86_64.isoIf it differs from the above, please also include:
du -b archlinux-2024.11.01-x86_64.isoPlease do that for each downloaded copy you already have.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline