ARM Download Signature Verification

Verifying the ARM image download via:
gpg --verify Manjaro-ARM-kde-plasma-rpi4-20.06.img.xz.sig Manjaro-ARM-kde-plasma-rpi4-20.06.img.xz

results in:

gpg: Signature made Sun Jun 14 11:36:38 2020 EDT
gpg:                using RSA key 7A443CEE69B6B3777740E258084A7FC0035B1D49
gpg:                issuer "strit@manjaro.org"
gpg: Can't check signature: No public key

The instructions here: https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images state to download github.com/manjaro/packages-core/raw/master/manjaro-keyring/manjaro.gpg, but it does not appear to contain the needed public key.

Searching https://pool.sks-keyservers.net/ results in the following which appears to be the correct public key:

pub  2048R/035B1D49 2016-04-23 Dan Johansen (Manjaro) <strit@manjaro.org>
  18                                Dan Johansen <strit@strits.dk>
  19                                Dan Johansen <danjohansen@strits.dk>
  20      Fingerprint=7A44 3CEE 69B6 B377 7740  E258 084A 7FC0 035B 1D49

Verification using the public key above successfully results in:

gpg: assuming signed data in 'Manjaro-ARM-kde-plasma-rpi4-20.06.img.xz'
gpg: Signature made Sun Jun 14 11:36:38 2020 EDT
gpg:                using RSA key 7A443CEE69B6B3777740E258084A7FC0035B1D49
gpg:                issuer "strit@manjaro.org"
gpg: Good signature from "Dan Johansen (Manjaro) <strit@manjaro.org>" [unknown]
gpg:                 aka "Dan Johansen <strit@strits.dk>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7A44 3CEE 69B6 B377 7740  E258 084A 7FC0 035B 1D49

Should this public key be added to the manjaro.gpg file the wiki states to use, or separate instructions for ARM download verifications be listed somewhere?

Sorry if I overlooked something, but I'm new to Manjaro and just want to ensure I did this correctly.

The wiki has no entry relevant to ARM in this case.
But point 3.2 could be amended for our case like this:

gpg --keyserver hkp://pool.sks-keyservers.net --search-keys 035B1D49

I don't think the github key file has been updated for a long time. So the wiki entry should probably be changed to the gitlab.manjaro.org version instead, where my key is present. :slight_smile:

This topic was automatically closed after 90 days. New replies are no longer allowed.

Forum kindly sponsored by