Arch Linux

case_gage

Member

Registered: 2021-12-12

Posts: 15

[SOLVED] gpg verification warning

Hello all,
I'm setting up a Virtual box for school and personal use and I'm attempting to verify the gpg key signatures on my .iso file. I'm very new to arch and linux in general, so I'm trying to do every single step I can to see if I'm understanding it well. I've operated Ubuntu for about a year and am currently running Alma linux on my computer.

I've passed the following command into my terminal:

gpg --keyserver-options auto-key-retrieve --verify Downloads/archlinux-2021.12.01-x86_64.iso.sig

And received the following in response:
gpg: assuming signed data in 'Downloads/archlinux-2021.12.01-x86_64.iso'
gpg: Signature made Wed 01 Dec 2021 09:45:16 AM EST
gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg:                issuer "pierre@archlinux.de"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Does this mean that I don't have the correct key or download when it says WARNING: this key is not certified with a trusted signature? I also receive the same message when I pass the verification shown on https://wiki.archlinux.org/title/GnuPG# … public_key. My md5 and sha1 sum matches of .iso file matches what I've seen on https://archlinux.org/download/ under checksums.

My only other concern is that when passing the check in the virtual machine after booting up:

pacman-key -v archlinux-2021.12.01-x86_64.iso.sig

I receive:
==> Checking archlinux-2021.12.01-x86_64.iso.sig . . . (embeded)
grep: archlinux-2021.12.01-x86_64.iso.sig: No such file or directory
gpg: can't open 'archlinux-2021.12.01-x86_64.iso.sig' : No such file or directory
gpg: verify signatures failed: No such file or directory
==> ERROR: The signature identified by archlinux-2021.12.01-x86_64.iso.sig could not be verified

I don't understand why arch wouldn't verify itself internally.

Last edited by case_gage (2021-12-12 19:19:53)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 13,694

Re: [SOLVED] gpg verification warning

For your first question, see https://en.wikipedia.org/wiki/Web_of_trust

For the second one, the error seems straight forward, there's no file by that name.

case_gage

Member

Registered: 2021-12-12

Posts: 15

Re: [SOLVED] gpg verification warning

For your first question, see https://en.wikipedia.org/wiki/Web_of_trust

For the second one, the error seems straight forward, there's no file by that name.

I should have it though right? Shouldn't there there should be and .iso.sig file in the installation medium?

case_gage

Member

Registered: 2021-12-12

Posts: 15

Re: [SOLVED] gpg verification warning

Thanks for the help, my dude.

bewebbed

Member

Registered: 2021-12-20

Posts: 1

Re: [SOLVED] gpg verification warning

Hi there,

I've got the exact same error today.

NuSkool

Member

Registered: 2015-03-23

Posts: 287

Re: [SOLVED] gpg verification warning

First, you need to import the pgp key.

Are you talking about the ""WARNING: This key is not certified...." part?

I believe you need to sign his key with something like:

gpg --lsign-key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC       (or whatever key id)

---

Scripts I Use                                                 :  https://github.com/Cody-Learner
grep -m1 'model name' /proc/cpuinfo    : AMD Ryzen 7 8745HS w/ Radeon 780M Graphics
grep -m1 'model name' /proc/cpuinfo    : Intel(R) N95
grep -m1 'model name' /proc/cpuinfo    : AMD Ryzen 5 PRO 2400GE w/ Radeon Vega Graphics

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: [SOLVED] gpg verification warning

I think the following installation step was not followed: https://wiki.archlinux.org/title/Instal … _signature
As advised there, the .sig file should be separately downloaded from the main server before verifying the image with it.