You are not logged in.

#1 2024-11-03 21:20:27

le_grande_castel
Member
Registered: 2022-05-16
Posts: 10

Arch ISO signature does not match. What to do?

Hello

I downloaded the arch .iso from 2024.11.01 from both BitTorrent Downloads on the official page, and a mirror (chroot.ro) from my country. All of these were found on the official page: https://archlinux.org/download/

I downloaded the corresponding signature and the key is different! First, I checked with KDE's ISO Image Writer, which automatically does the checking if both the .iso and the .iso.sig are in the same directory. I get a pop-up saying "Uses wrong signature". Then, I checked using the sha256sum command on the .iso, and I got a different signature from the one on the website.

I obviously did not proceed with my installation. I made this post to 1) raise awareness if this is an issue and 2) ask what the potential consequences of this are? This is actually the first time I verify an iso signature, did it just happen that I got this problem now, or is this a more common issue?

Should I wait until a new iso is uploaded, or proceed with my installation?

Offline

#2 2024-11-03 21:48:26

mpan
Member
Registered: 2012-08-01
Posts: 1,332
Website

Re: Arch ISO signature does not match. What to do?

Hello.

Don’t follow with the installation. But for reasons other than security.

To start with, I would not panic. Any adversary would need to go great lengths to plant malicious content in your download, if you observe that on both download methods. That is something I would put further down the list of possible explanations.

Avoid installation, because the file seems damaged and there has to be a reason for that. That reason may be unstable hardware.

To go step by step, let’s begin with the signature. I don’t know KDE’s ISO Image Writer, so I don’t know what messages it displays, but “Uses wrong signature” may mean many things. Starting with you not having the public key of Pierre Schmitz. If it’s not in your own keyring, the signature can’t be verified. Moreover, some software may wrongly report a good signature from an untrusted key as invalid.

Second, please post the complete output of checking the integrity with SHA-256:

 $ sha256sum archlinux-2024.11.01-x86_64.iso
bceb3dded8935c1d3521c475a69ae557e082839b46d921c8b400524470b5c965  archlinux-2024.11.01-x86_64.iso

If it differs from the above, please also include:

du -b archlinux-2024.11.01-x86_64.iso

Please do that for each downloaded copy you already have.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

Board footer

Powered by FluxBB