Hi, to demonstrate how to verify the ISO I didn't use the torrent. 1. • rocketmouse@archlinux /tmp/verification_demo $ wget --quiet http://ftp.agdsn.de/pub/mirrors/archlinux/iso/2023.08.01/archlinux-2023.08.01-x86_64.iso{,.sig} • rocketmouse@archlinux /tmp/verification_demo $ sq wkd get pierre@archlinux.org -o release-key.pgp • rocketmouse@archlinux /tmp/verification_demo $ sq verify --signer-file release-key.pgp --detached archlinux-2023.08.01-x86_64.iso.sig archlinux-2023.08.01-x86_64.iso Good signature from 76A5EF9054449A5C ("Pierre Schmitz <pierre@archlinux.org>") 1 good signature. • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0 2. • rocketmouse@archlinux /tmp/verification_demo $ gpg --keyserver-options auto-key-retrieve --verify archlinux-2023.08.01-x86_64.iso.sig gpg: assuming signed data in 'archlinux-2023.08.01-x86_64.iso' gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C gpg: issuer "pierre@archlinux.org" gpg: key 76A5EF9054449A5C: public key "Pierre Schmitz <pierre@archlinux.org>" imported gpg: key 7F2D434B9741E8AC: public key "Pierre Schmitz <pierre@archlinux.org>" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: no ultimately trusted keys found gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0 3. • rocketmouse@archlinux /tmp/verification_demo $ pacman-key -v archlinux-2023.08.01-x86_64.iso.sig ==> Checking archlinux-2023.08.01-x86_64.iso.sig... (detached) gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C gpg: issuer "pierre@archlinux.org" gpg: Note: trustdb not writable gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [full] gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [unknown] • rocketmouse@archlinux /tmp/verification_demo $ echo $? 0 Regards, Ralf