Hi, I have downloaded Linux Manjaro and SHA1 is OK. I would like to check the .sig file. I have only a Wndows 10 here, i have gpg4win installed (kleopatra, extension for context menu …).
I have read the manual of GNUPG and linux forums.
I have also read how to verify ISO images in the wiki.
Just a question in advance.
How do I know that the imported keys from the keyservers (gitlab etc) are valid/trustworthy? In reality I cannot be 100% sure, correct? I just want to learn the theory behnd this.
Any good explanations (website, youtube?)
Iso file and .sig file are in the same directory.
(translated from German)
Attempt 1:
I right click the .iso file and “check and verify” end in result:
“Files cannot be checked. Signature created on … with unknown certificate. You can search for certificate on keyserver …”
“signature cannot be checked. No public key”
Attempt 2:
I downloaded manjaro.gpg (from gitlab) and imported it in kleopatra.
I still get a message:
“Files cannot be checked. Signature created on … with certificate Manjaro Build Server …”. You can search for certificate on keyserver …
What Do I have to do now to be secure?
Thank you.