Manjaro Difference between revisions of "How-to verify GPG key of official .ISO images"

Difference between revisions of "How-to verify GPG key of official .ISO images"

From Manjaro
imported>Excalibur1234
(source: https://www.youtube.com/watch?v=EVxFMJGsa7E)
 
m (Editing section title)
 
(17 intermediate revisions by 11 users not shown)
Line 1: Line 1:
<languages/>
__TOC__
<translate>
=Verifying GPG key of official .ISO images= <!--T:1-->
'''1.''' Download an ISO file and the corresponding .sig file from the official sources (see Download Manjaro below).


1. Go to the [https://sourceforge.net/projects/manjarolinux/files/release/ SourceForge page of Manjaro], where you can choose the latest version you want to download. Also, choose the edition you want to download such as XFCE or KDE.
<!--T:2-->
'''2.''' Install GPG and wget using a Manjaro package manager (pamac or pacman):


2. You can find many files:
  <!--T:3-->
* Some files with an .ISO extension. These files are the images to download.
pamac install gnupg wget
* Some files have an .ISO.SHA1 extension. They contain a check sum.
* Some files end with .PKGS.TXT and contain a complete list installed packages. Attention: These are '''all''' packages installed in the image file.
* Some files with an .ISO.SIG extension. These files contain the GPG key of the packager. In most cases, this will be Philip Müller, one of the founders of Manjaro.


3. Download the corresponding .ISO and .ISO.SIG files and place them in the same folder. Navigate with your terminal to that folder.
<!--T:4-->
'''3.''' Next, you have 2 possible ways to import Manjaro's keys. Choose one of them:


4. Install GPG:
<!--T:5-->
  sudo pacman -S gnupg
Download all keys from the Manjaro Developers from GitLab:
wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg
Next, import all the keys in the downloaded .gpg file into your gnupg keyring:
  gpg --import manjaro.gpg


5. Next, import Philip Müller's GPG key to your system (select the key by entering its number and pressing ENTER):
<!--T:6-->
  gpg --keyserver hkp://pool.sks-keyservers.net --search-keys 11C7F07E
If you do not trust GitLab, import the Manjaro Build Server's GPG key to your system (afterwards, select the key by entering its number and pressing ENTER):
  gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server


6. Finally, verify if the .ISO image file was built by Philip Müller:
<!--T:7-->
  gpg --verify manjaro-xfce-16.06-pre2-x86_64.iso.sig
'''4.''' Finally, verify if the .iso image file was built by the Manjaro Build Server, Philip Müller or one of the other Manjaro Developers:
Check, whether the .ISO was verified by the same "11C7F07E" key number, which you have imported to your system and which belongs to Philip Müller.
  gpg --verify manjaro-ISO-image.iso.sig manjaro-ISO-image.iso
If this is the case, you can be sure that your .ISO file was built by Philip Müller.
Compare the key which was used to sign the .iso file with the corresponding developer key.
 
<!--T:8-->
Check whether the .ISO was verified by Philip Müller's GPG key, another Manjaro Developer's key, or the Manjaro Build Server key which you have imported to your system.
If this is the case, you can be sure that your .iso is official.
 
=Links= <!--T:9-->
 
<!--T:10-->
* '''[[Download Manjaro]]'''
* '''[[Check a Downloaded ISO Image For Errors]]'''
* '''[[Burn an ISO File]]'''
* '''[[Installation Guides]]'''
 
</translate>
[[Category:Contents Page{{#translation:}}]]
[[Category:ISO{{#translation:}}]]

Latest revision as of 09:11, 12 March 2022

Other languages:
English • ‎português do Brasil • ‎русский

Verifying GPG key of official .ISO images

1. Download an ISO file and the corresponding .sig file from the official sources (see Download Manjaro below).

2. Install GPG and wget using a Manjaro package manager (pamac or pacman): 

  pamac install gnupg wget

3. Next, you have 2 possible ways to import Manjaro's keys. Choose one of them:

Download all keys from the Manjaro Developers from GitLab: 

wget gitlab.manjaro.org/packages/core/manjaro-keyring/-/raw/master/manjaro.gpg

Next, import all the keys in the downloaded .gpg file into your gnupg keyring: 

gpg --import manjaro.gpg

If you do not trust GitLab, import the Manjaro Build Server's GPG key to your system (afterwards, select the key by entering its number and pressing ENTER): 

gpg --keyserver keyserver.ubuntu.com --search-keys Manjaro Build Server

4. Finally, verify if the .iso image file was built by the Manjaro Build Server, Philip Müller or one of the other Manjaro Developers: 

gpg --verify manjaro-ISO-image.iso.sig manjaro-ISO-image.iso

Compare the key which was used to sign the .iso file with the corresponding developer key.

Check whether the .ISO was verified by Philip Müller's GPG key, another Manjaro Developer's key, or the Manjaro Build Server key which you have imported to your system. If this is the case, you can be sure that your .iso is official.

Links

Retrieved from "https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images&oldid=33200"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.