Verifying ISO: mixed messages in ouptut

Can anyone help me interpret?
(The -resv step was fine)

$ gpg --recv CDF595A1
gpg: key E3D8752ACDF595A1: public key "Johannes Kamprad (joekamprad development key) <joekamprad@endeavouros.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify EndeavourOS_Galileo-Neo-2024.01.25.iso.sig
gpg: assuming signed data in 'EndeavourOS_Galileo-Neo-2024.01.25.iso'
gpg: Signature made Thu 25 Jan 2024 11:59:52 AM MST
gpg:                using RSA key 8F43FC374CD4CEEA19CEE323E3D8752ACDF595A1
gpg:                issuer "joekamprad@endeavouros.com"
gpg: Good signature from "Johannes Kamprad (joekamprad development key) <joekamprad@endeavouros.com>" [unknown]
gpg:                 aka "[jpeg image of size 3520]" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8F43 FC37 4CD4 CEEA 19CE  E323 E3D8 752A CDF5 95A1

what I do understand: matches the key fingerprint @ endeavour main site. says ‘good signature’ from Joe.

what I don’t understand: “There is no indication that the signature belongs to the owner.” and “WARNING: The key’s User ID is not certified with a trusted signature!”

the shasum check was “OK.” thank you.

You received the key from a keyserver so it isn’t trust it. If you trust it, you can locally sign the key so it is trusted but that isn’t needed for validating the key on an ISO.

If you want more info, search for pgp web of trust

1 Like

I can verify myself if you want too let’s meet for a beer :beers:

But as dalto say already my key is not trusted by your user:
https://www.gnupg.org/gph/en/manual/x334.html

1 Like

ok, I get that. all else seems copacetic so I don’t need that extra step. thank you.

Unrelated: I want to try Endeavour with a WM like openbox or jwm now. The best way do to this is thru the live installer then run the git commands to the WM, right?
I mean I just can’t magically say goodbye to my DE and do the switcheroo without a new install I think.

you have a face I can trust, sir. but we can drink all the same :beers:


after user signing the key it would show like this

at the bottom of the Endeavour home page is has all the instructions, and this:
" To check the ISO file with gpg signature import our key and verify

(Do not forget to trust the key after validating it)"

reading in the gnupg link (in the word ‘trust’) it seems it would take some editing for that to happen. but I see what you mean.

gpg --edit-key joekamprad@endeavouros.com

and follow the info the guide-- gpg is quiet speaky

maybe someday! looked daunting at first sight.

Indeed, must need to do that … better have a beer

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.