Verify downloaded Manjaro ISO file signatures

Technical Issues and Assistance
,
#1

I have downloaded the Manjaro gpg signatures and would like to import them in order to verify the ISO file signatures.
Here is the output from executing the commands in the "Get Manjaro" page: https://pastebin.com/raw/daXV0Pmb

In summary, on my system, importing gpg keys fails (just an example here):

  gpg: key CAA6A59611C7F07E: "Philip Müller (Called Little) <philm@manjaro.org>" not changed
  gpg: bad data signature from key 8396F1D05506E82D: Wrong key usage (0x19, 0x2)

and afterwards, executing gpg --verify on the downloaded manjaro-kde-17.1.11-stable-x86_64.iso.sig results in:

  gpg --verify Downloads/manjaro-kde-17.1.11-stable-x86_64.iso.sig 
  gpg: no signed data
  gpg: can't hash datafile: No data

I appear to have all the updates (pacman does not have any updates for me) and I am running version Manjaro Hakoila (17.1.11), also check

 $ uname -a
Linux desk14 4.16.18-1-MANJARO #1 SMP PREEMPT Tue Jun 26 15:27:59 UTC 2018 x86_64 GNU/Linux

UPDATE: Not sure if it's relevant, but I've had GPG problems before: Pacman-Key init keeps failing.

#2

You know that you have to enter commands line per line and not several lines at once?
Second, a general tip, try to understand what the commands you are entering are supposed to do.
Sadly the description of the process on https://manjaro.org/get-manjaro/ is useless, unless you know what you are doing. It should get improved.

Can you tell me in which folder you saved your files your .iso and .iso.sig files?

#3

I suppose that the .iso.sig file is in ~/Downloads. I suspect that the .iso file isn't in ~/Downloads, but it should be there as well to make the gpg --verify command work.

#4

Granted, after putting both files in the same folder it works just fine!
Again, I thought the error refers to "no data in the signature file", not that it cannot find the signed data.

Thanks a bunch!

bogdanbiv@desk14 ~ $ gpg --verify Downloads/ISOs/manjaro-kde-17.1.11-stable-x86_64.iso.sig
gpg: assuming signed data in 'Downloads/ISOs/manjaro-kde-17.1.11-stable-x86_64.iso'
gpg: Signature made Du 01 iul 2018 12:46:31 +0300 EEST
gpg: using RSA key E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E
gpg: issuer "philm@manjaro.org"
gpg: Good signature from "Philip Müller (Called Little) philm@manjaro.org" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A 8C70 CAA6 A596 11C7 F07E

1 Like
#5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by