-- Jude <jdashiel at panix dot com> "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." Ed Howdershelt 1940. On Fri, 1 Sep 2023, Ralf Mardorf wrote:
Hi,
to demonstrate how to verify the ISO I didn't use the torrent.
1.
• rocketmouse@archlinux /tmp/verification_demo $ wget --quiet http://ftp.agdsn.de/pub/mirrors/archlinux/iso/2023.08.01/archlinux-2023.08.01-x86_64.iso{,.sig} • rocketmouse@archlinux /tmp/verification_demo $ sq wkd get pierre@archlinux.org -o release-key.pgp • rocketmouse@archlinux /tmp/verification_demo $ sq verify --signer-file release-key.pgp --detached archlinux-2023.08.01-x86_64.iso.sig archlinux-2023.08.01-x86_64.iso Good signature from 76A5EF9054449A5C ("Pierre Schmitz <pierre@archlinux.org>")
1 good signature. • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0
2.
• rocketmouse@archlinux /tmp/verification_demo $ gpg --keyserver-options auto-key-retrieve --verify archlinux-2023.08.01-x86_64.iso.sig gpg: assuming signed data in 'archlinux-2023.08.01-x86_64.iso' gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C gpg: issuer "pierre@archlinux.org" gpg: key 76A5EF9054449A5C: public key "Pierre Schmitz <pierre@archlinux.org>" imported gpg: key 7F2D434B9741E8AC: public key "Pierre Schmitz <pierre@archlinux.org>" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: no ultimately trusted keys found gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0
3.
• rocketmouse@archlinux /tmp/verification_demo $ pacman-key -v archlinux-2023.08.01-x86_64.iso.sig ==> Checking archlinux-2023.08.01-x86_64.iso.sig... (detached) gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C gpg: issuer "pierre@archlinux.org" gpg: Note: trustdb not writable gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [full] gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [unknown] • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0
Regards, Ralf
One nice thing sourceforge.net does for packages is to have all old versions show their dates in their package names but the current package has latest replacing its date in its package name. Removes confusion as to which package to download that way. With only multiple date possibilities to download something like scripting would be needed to locate current packages and associated verification files for download unless a user would otherwise search directories and have had enough coffee on board for those late night file download sessions. More than once I got the wrong verification files that didn't match a dated package and had to clean the disk and try another download.