Yes i am aware of that but just like the OP it was unclear/overwhelming to me how to trust the gpg key. @flyingcakes explained that in a very understandable way, so that part is nice to have on the download page?
I agree @flyingcakes explained it in a clear and understandable way, and thus it would fit well on the download page.
Let’s see how busy @joekamprad is and what he feels about it.
Practically speaking, it shouldn’t matter if the key is trusted or not.
After manually setting trust level to 2, i.e. I do NOT trust, I get this output.
gpg: assuming signed data in 'EndeavourOS_Endeavour_neo-2024.09.22.iso'
gpg: Signature made Sun 22 Sep 2024 04:33:38 PM IST
gpg: using RSA key 8F43FC374CD4CEEA19CEE323E3D8752ACDF595A1
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Johannes Kamprad (joekamprad development key) <joekamprad@endeavouros.com>" [unknown]
gpg: aka "[jpeg image of size 3520]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8F43 FC37 4CD4 CEEA 19CE E323 E3D8 752A CDF5 95A1
It warns about key not being trusted. Nonetheless, it gives us the info we need: ISO has a “good signature”.
Since its Joe’s signature (whom I trust!), I keep trust level to 5, i.e. I trust ultimately
But the trusting process not being on website doesn’t hamper the process of verifying the ISO itself. Yes, its confusing because gpg warns about signature.
Adding detailed tutorial on the main website is not to my liking.
We can link to a wiki with exact detailed article.
This can be added to the discovery wiki.
I will be happy to add when you send it to me here or in P.M. or mail…
