gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig stated the signature didn't exist. I got that off the Installation_guide so trashed that archlinux disk. I used aria2c -V -l archlinux.log followed by the current torrent name. end result was a failure to install with all manner of python errors before I tried to get the signature and verify the disk. We have here verizon fios and that's turned into an unreliable internet connection since August of 2022. The owner of the account hasn't got time to straighten any of the problems out and so far as that account is concerned I'm just a user. -- Jude <jdashiel at panix dot com> "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." Ed Howdershelt 1940. On Thu, 31 Aug 2023, mpan wrote:
Having downloaded the torrent and burned the iso to a dvd I verified the torrent using sha256sum but apparently that wasn't enough since the installation broke part of the way through which means I ought to have used the gpg verification that is available online. What is done with those asc files to verify a download? I used lftp with no options on the command line and maybe that was also a mistake on my part. Hello,
If the ISO has a matching SHA-256,⁽¹⁾ then it’s not damaged. If you downloaded it over torrent, it’s also not damaged, as the client already verifies the content.⁽²⁾
Using a PGP signature is meant to prove authenticity of the ISO: that it came from rightful Arch maintainers and not a malicious actor. However, to make SHA-256 hash match, that actor would need to have control over either Arch website or your HTTPS connection to it. If they did, verifying the ISO with a key you obtained through the same route wouldn’t help help at all. Even more, an attacker would typically avoid breaking the ISO.
So, while verifying the PGP signature is the best practice and I strongly encourage you to use it whenever possible, in this case you are likely facing a different problem. How did the installation “broke part of the way through”?
____ ⁽¹⁾ 3bf1287333de5c26663b70a17ce7573f15dc60780b140cbbd1c720338c0abac5 ⁽²⁾ Though v1 torrent hashes only protect against random errors, not intentional modifications.