You are not logged in.
Hello,
I am following the installation guide for the first time today. I downloaded a .iso and .iso.sig from the worldwide mirror listed on the downloads page, Rackspace.
Verify signature
It is recommended to verify the image signature before use, especially when downloading from an HTTP mirror, where downloads are generally prone to be intercepted to serve malicious images.On a system with GnuPG installed, do this by downloading the PGP signature (under Checksums in the Download page) to the ISO directory, and verifying it with:
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
I ran this command and got the following output:
redacted@redacted:/mnt/c/Users/redacted/Downloads$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2022.03.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2022.03.01-x86_64.iso'
gpg: Signature made Tue Mar 1 15:54:01 2022 GMT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: issuer "pierre@archlinux.de"
gpg: Can't check signature: No public keyI was under the impression that the iso and signature were all that is needed to verify. Am I missing a step somewhere?
Thanks,
illiterate_programmer
Offline
You also need the public key. The auto-key-retrieve is supposed to attempt to download it, but if it fails, you can't verify it.
Offline
You also need the public key. The auto-key-retrieve is supposed to attempt to download it, but if it fails, you can't verify it.
Thanks for the reply. I am familiar with public key cryptography but not GPG. I assumed that the auto key retrieve would handle the rest if I have the iso and sig, but as it is failing, I do not know where to get the public key from. Is it worth trying another mirror?
Offline
The mirror has nothing to do with it, gpg tries to get it from whatever pgp server it has configured.
See the Download page where you got the ISO links for more information about getting the key.
Offline