Verification of Arch iso [SOLVED]

Ride Garcher · 2023-11-11 20:32:03

Hi guys. I'm trying to install arch, again. But i'm not sure that the iso is ok.
I'm using Debian to verify. This is the bash:

richard@debian:/media/richard/eaed7b3d-6d18-41e7-afe9-872860130bfc/download$ gpg --verify archlinux-2023.11.01-x86_64.iso.sig archlinux-2023.11.01-x86_64.iso
gpg: Signature made Wed 01 Nov 2023 07:59:03 AM CET
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C

I don't like this "WARNING: This key is not certified with a trusted signature!"

What should i do?

Last edited by Ride Garcher (2024-04-26 15:50:51)

ewaller · 2023-11-11 20:51:02

Ubuntu does not know who Pierre is, so they have not signed his key. He does show up on our developer page, and we trust him. You can see on the developer page https://archlinux.org/people/developers/ that that is the fingerprint of the key matches the one in the warning.

I think you are okay.

Ride Garcher · 2023-11-11 20:56:14

Ok, thank you, but sorry, i'm still an amateur. Why does it act like that? Whether my key is secure or not, I'm trying to better understand how these systems work.

ewaller · 2023-11-11 21:13:22

At a low level, we can ensure that a downloaded file has not been modified through the use of checksums, cryptographic hashes, etc... If the hash generated from the file you downloaded does not match the one published by the person who made that file, you know the file changed. But, how do we know that the person who made that file is who they say it is? And how do we know if the real person is trustworthy? Two different problems. We can prove that the person is who they claim to be with pgp certificates. If I signed a file, you could look up my certificate on line and use that certificate to prove to yourself that I signed it.

gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]

. Some guy named Pierre signed it, and the public signature for this person is correct. But who the heck is he? The guys at Ubuntu don't know. No one at Ubuntu has used their personal cert, and their being a tusted member of the Ubuntu project, to sign Pierre's signature to say that Ubuntu trusts him.

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

We know who Pierre is, and at least one person here has used their signature, and their being on the Arch Linux staff, to sign Pierre's signature and include it in the Arch Linux keyring. It is in the package archlinux-keyring.
To provide a method for someone not running Arch Linux to know that Pierre is trusted, we publishing his key signature so you can verify that this Pierre guy really is the same Pierre that Arch knows, trusts, and loves.

Last edited by ewaller (2023-11-11 21:15:52)

Ride Garcher · 2023-11-11 22:56:13

Thank you very much!

Arch Linux

#1 2023-11-11 20:32:03

Verification of Arch iso [SOLVED]

#2 2023-11-11 20:51:02

Re: Verification of Arch iso [SOLVED]

#3 2023-11-11 20:56:14

Re: Verification of Arch iso [SOLVED]

#4 2023-11-11 21:13:22

Re: Verification of Arch iso [SOLVED]

#5 2023-11-11 22:56:13

Re: Verification of Arch iso [SOLVED]

Board footer