New install - gpg error checking ISO

Strider22 · 2024-11-30 19:38:47

I have downloaded the ISO and the iso.sig twice and I get the following error from gpg from both directories.

user command: gpg --keyserver-options auto-key-retrieve --verify archlinux-2024.11.01-x86_64.iso.sig archlinux-2024.11.01-x86_64.iso

gpg: Signature made Fri 01 Nov 2024 06:12:01 AM EDT
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C

The first error in https://bbs.archlinux.org/viewtopic.php?id=272094 matches this problem but the answer is to update the keyring with pacman.
This is a new install... I don't have pacman.

seth · 2024-11-30 20:56:59

https://archlinux.org/download/

gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org

Strider22 · 2024-11-30 21:34:27

After running the key locate it still fails the ISO check

command: gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org

gpg: using pgp trust model
gpg: pub ed25519/76A5EF9054449A5C 2022-10-31 Pierre Schmitz <pierre@archlinux.de>
gpg: key 76A5EF9054449A5C: "Pierre Schmitz <pierre@archlinux.org>" not changed
gpg: pub rsa2048/7F2D434B9741E8AC 2011-04-10 Pierre Schmitz <pierre@archlinux.de>
gpg: key 7F2D434B9741E8AC: "Pierre Schmitz <pierre@archlinux.org>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: auto-key-locate found fingerprint 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: automatically retrieved 'pierre@archlinux.org' via WKD
pub ed25519 2022-10-31 [SC] [expires: 2037-10-27]
3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
uid [ unknown] Pierre Schmitz <pierre@archlinux.org>
sub ed25519 2022-10-31 [A] [expires: 2037-10-27]
sub cv25519 2022-10-31 [E] [expires: 2037-10-27]

command: gpg --keyserver-options auto-key-retrieve --verify archlinux-2024.11.01-x86_64.iso.sig archlinux-2024.11.01-x86_64.iso

gpg: Signature made Fri 01 Nov 2024 06:12:01 AM EDT
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C

Head_on_a_Stick · 2024-11-30 21:40:06

That output shows the signature is correct:

gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>"

The warning is because you haven't incorporated the key into your web of trust.

Last edited by Head_on_a_Stick (2024-11-30 21:41:29)

Strider22 · 2024-11-30 22:19:37

I tried to import from the file but it didn't work
command: gpg --import archlinux-2024.11.01-x86_64.iso.sig

gpg: Total number processed: 0

I tried per https://wiki.archlinux.org/title/GnuPG#Use_a_keyserver

command: gpg --search-keys pierre@archlinux.org

gpg: data source: https://keys.openpgp.org:443
(1) Pierre Schmitz <pierre@archlinux.de>
Pierre Schmitz <pierre@archlinux.org>
256 bit EDDSA key 76A5EF9054449A5C, created: 2022-10-31
Keys 1-1 of 1 for "pierre@archlinux.org". Enter number(s), N)ext, or Q)uit > 1
gpg: key 76A5EF9054449A5C: "Pierre Schmitz <pierre@archlinux.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

command: gpg --receive-keys 76A5EF9054449A5C

gpg: key 76A5EF9054449A5C: "Pierre Schmitz <pierre@archlinux.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

command: gpg --refresh-keys
of course showed that "unchanged" was correct so I added sudo even though no error suggested that

command: sudo gpg --receive-keys 76A5EF9054449A5C

[sudo] password for chris:
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 76A5EF9054449A5C: public key "Pierre Schmitz <pierre@archlinux.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

However apt-key list does not show an update and the verify still says "no indication"

Head_on_a_Stick · 2024-11-30 22:29:49

Please read https://serverfault.com/questions/56991 … ed-gpg-key.

Scimmia · Yesterday 02:22:11

Stop. Just stop.

There is no error.

The check does not fail.

There is nothing wrong here.

seth · Yesterday 06:34:46

You probably don't even have a WOT, your only source of trust is that the pgp signature matches the one listed on https://archlinux.org/download/ and our assertion that there's nothing wrong w/ the key as shown in #3

Head_on_a_Stick · Yesterday 08:31:22

If the OP just wants to get rid of the warning they can use

gpg --lsign-key 76A5EF9054449A5C

But it doesn't make any practical difference.

Strider22 · Yesterday 16:27:31

@ Scimmia - LOL - that's exactly how I feel. Basically the install instructions are lacking info required by some users. My question appears all over the web without any answers.
I am trying to create an install usb on a five year old Ubuntu system. Two of my friends had tried and given up and asked me to took into it.
We are all programmers and had talked about moving to arch for two reasons. First is what seems to be the best community and documentation and second because we are Canadian and liked the history of Arch. I documented my issues here to help the community. If it is annoying, move on.

The instructions are;

On a system with GnuPG installed, do this by downloading the ISO PGP signature (under Checksums in the page Download) to the ISO directory, and verifying it with:
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

For this "test" to come back saying there is no trust means either there is an instruction or explanation missing. Why should I proceed if the verify "fails".

Once I created my own key and signed pierre's signature the message from gpg looks better.

command: gpg --verify archlinux-2024.11.01-x86_64.iso.sig

gpg: assuming signed data in 'archlinux-2024.11.01-x86_64.iso'
gpg: Signature made Fri 01 Nov 2024 06:12:01 AM EDT
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2026-12-01
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [full]
gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [full]

The install instructions should provide an example of a failure response and note that if you get
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

then the file has passed the check and that this error means you are not using a web of trust.

Thanks all. This has been great.

Last edited by Strider22 (Yesterday 16:29:06)

Scimmia · Yesterday 16:31:15

Strider22 wrote:

For this "test" to come back saying there is no trust means either there is an instruction or explanation missing. Why should I proceed if the verify "fails".

No, it means you're making wild assumptions. It did not fail.

Strider22 · Yesterday 16:33:54

Although removing the error is unnecessary, the way to do it is;

Generate your own key
gpg --generate-key

Find the signer's key
gpg --search-keys pierre@archlinux.org

Then using the key returned above, sign that you accept it.
gpg --lsign-key 76A5EF9054449A5C

Scimmia · Yesterday 16:36:36

That doesn't remove an error, it removes a *warning*. You're a developer, you should know the difference.

Doing that is completely and totally useless.

seth · Yesterday 19:10:58

This here is the success:

gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]

This is a warning from GPG that just because this key was used to sign the iso, doesn't mean that key is worth two cents:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

It also doesn't mean that there's anything wrong - just that GPG doesn't know whether the key actually belongs to some pierre schmitz guy.
You have to provide that knowledge.

Your only source of trust is the arch webpage, saying that this is the key id you're looking for.
You've no idea whether that's actually true, nor any means to establish that (you could raise confidence by mailing pierre and asking him for personal confirmation, which I'm sure he'll appreaciate a lot )

Now, let's say some mean hacker has defaced the webpage and also got you to download a false iso and signature signed with the hackers key, posing as pierre.
If you falsely trust this and install arschlinux™, you've now installed a compromised OS. Which is bad.
If you sign the bogus key and install arschlinux™, you've now installed a compromised OS *AND* compromised your local WOT. Which is worse.

Strider22 · Yesterday 20:08:03

So then why tell strangers to Pierre to verity the file via his sig.

Why not just say download the ISO and hope it is works. What are we doing here?

Does a "Good signature" from Pierre mean anything?

Installation instructions are mainly for newbies.

Maybe the install instructions should say

On a system with GnuPG installed, do this by downloading the ISO PGP signature (under Checksums in the page Download) to the ISO directory, and verifying it with:
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
If you get a "Good signature" message then the file passed the verifcation.

Last edited by Strider22 (Yesterday 20:13:32)

seth · Yesterday 20:16:48

Your only source of trust is the arch webpage, saying that this is the key id you're looking for.

This is not nothing.

What I was trying to say is that by ("blindly") signing the key you only explode the impact *ifff* some hacker actually managed to fool you.
Comparing the key IDs and leaving it be is the less impactful, equally "secure" strategy.

loqs · Yesterday 20:17:03

Strider22 wrote:

So then why tell strangers to Pierre to verity the file via
On a system with GnuPG installed, do this by downloading the ISO PGP signature (under Checksums in the page Download) to the ISO directory, and verifying it with:
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
Why not just say download it and hope it is good. What are we doing here?
Does a "Good signature" from Pierre mean anything?

    gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]

Means the signature obtained using WKD from archlinux.org using the command

gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org

Is the signature used to sign archlinux-version-x86_64.iso.sig. So unless archlinux.org has been compromised in addition to the location you downloaded the ISO from then the ISO has been verified.

cryptearth · Yesterday 22:24:45

Strider22 wrote:

Basically the install instructions are lacking info required by some users. My question appears all over the web without any answers.

Strider22 wrote:

Installation instructions are mainly for newbies.

Welcome to "Arch, btw" <3
Some honest words after using arch about two years:
You'll learn: The Arch Wiki is more like a reference doc you consult because you remember something but the manpage doesn't help. Often it's written in a circular dependency: It's expected you already know what you're about to read but just don't remember the fine details that differ on arch from other distros.
I agree with that the install guide sure need some re-write and better formatting - the lines "bring along an editor and tools to get your network working" are just thrown in there with the expectation of the read does scan the page letter by letter and comprehend it with infinite wisdom - with the sole explanation: "Arch is designed with 'The user has to configure it themself' in mind - so instead of fighting about wether vim or nano is the better editor - we just not include any of them!" - instead of just biting the bullet and including them both ... anyway.
Same goes with booting and network - yes, one can setup arch without an editor and just with systemd for both booting and networking - but given but the high amount of regular repetitions of "can't boot", "no network" in combination with "after update" it's either the majority of users doing something simple very wrong most of the time - or, and this is where my money is, it would be easier just to provide a collection of some basic tools found on most of other major distributions - and rewrite a majority of the important parts of the wiki the hammer it into the users brains how to it correctly - no matter if this then would be just "one of the many ways" - but it would be at least one instead of the current NONE because of "here're the options - figure it out on your own!".

If you and your team want to stay on arch I recommend always have some install media at hand or setup a failsafe PXE network boot - as at some point you likely will somehow break the system and fail to boot - mostly due to user error. If you know you have flaky power - go buy an UPS right now - we had countless topics of corrupted boot and system partitions due to power failure during update.

And most of all: read, read again and then read a third time - if you have a feeling of "well, maybe I still could learn something new the 4th time" - come here and ask before you do anything - as chance are you missed something and about to screw up.
There're many very good people here with briliant ideas how to get out of big messes (although you do have to provide some specific info) - trying to go blind will end you up here again anyway.

Arch Linux

#1 2024-11-30 19:38:47

New install - gpg error checking ISO

#2 2024-11-30 20:56:59

Re: New install - gpg error checking ISO

#3 2024-11-30 21:34:27

Re: New install - gpg error checking ISO

#4 2024-11-30 21:40:06

Re: New install - gpg error checking ISO

#5 2024-11-30 22:19:37

Re: New install - gpg error checking ISO

#6 2024-11-30 22:29:49

Re: New install - gpg error checking ISO

#7 Yesterday 02:22:11

Re: New install - gpg error checking ISO

#8 Yesterday 06:34:46

Re: New install - gpg error checking ISO

#9 Yesterday 08:31:22

Re: New install - gpg error checking ISO

#10 Yesterday 16:27:31

Re: New install - gpg error checking ISO

#11 Yesterday 16:31:15

Re: New install - gpg error checking ISO

#12 Yesterday 16:33:54

Re: New install - gpg error checking ISO

#13 Yesterday 16:36:36

Re: New install - gpg error checking ISO

#14 Yesterday 19:10:58

Re: New install - gpg error checking ISO

#15 Yesterday 20:08:03

Re: New install - gpg error checking ISO

#16 Yesterday 20:16:48

Re: New install - gpg error checking ISO

#17 Yesterday 20:17:03

Re: New install - gpg error checking ISO

#18 Yesterday 22:24:45

Re: New install - gpg error checking ISO

Board footer