Having downloaded the torrent and burned the iso to a dvd I verified the
torrent using sha256sum but apparently that wasn't enough since the
installation broke part of the way through which means I ought to have
used the gpg verification that is available online. What is done with
those asc files to verify a download? I used lftp with no options on the
command line and maybe that was also a mistake on my part.
Hello,
If the ISO has a matching SHA-256,⁽¹⁾ then it’s not damaged. If you
downloaded it over torrent, it’s also not damaged, as the client already
verifies the content.⁽²⁾
Using a PGP signature is meant to prove authenticity of the ISO: that
it came from rightful Arch maintainers and not a malicious actor.
However, to make SHA-256 hash match, that actor would need to have
control over either Arch website or your HTTPS connection to it. If they
did, verifying the ISO with a key you obtained through the same route
wouldn’t help help at all. Even more, an attacker would typically avoid
breaking the ISO.
So, while verifying the PGP signature is the best practice and I
strongly encourage you to use it whenever possible, in this case you are
likely facing a different problem. How did the installation “broke part
of the way through”?
____
⁽¹⁾ 3bf1287333de5c26663b70a17ce7573f15dc60780b140cbbd1c720338c0abac5
⁽²⁾ Though v1 torrent hashes only protect against random errors, not
intentional modifications.
