Re: the archlinux torrent

[Ralf Mardorf <ralf-mardorf@xxxxxxxxxx>]

Hi,

to demonstrate how to verify the ISO I didn't use the torrent.

1.

• rocketmouse@archlinux /tmp/verification_demo 
$ wget --quiet http://ftp.agdsn.de/pub/mirrors/archlinux/iso/2023.08.01/archlinux-2023.08.01-x86_64.iso{,.sig}
• rocketmouse@archlinux /tmp/verification_demo 
$ sq wkd get pierre@xxxxxxxxxxxxx -o release-key.pgp
• rocketmouse@archlinux /tmp/verification_demo 
$ sq verify --signer-file release-key.pgp --detached archlinux-2023.08.01-x86_64.iso.sig archlinux-2023.08.01-x86_64.iso
Good signature from 76A5EF9054449A5C ("Pierre Schmitz <pierre@xxxxxxxxxxxxx>")

1 good signature.
• rocketmouse@archlinux /tmp/verification_demo 
$ echo $?
0


2.

• rocketmouse@archlinux /tmp/verification_demo 
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2023.08.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2023.08.01-x86_64.iso'
gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST
gpg:                using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg:                issuer "pierre@xxxxxxxxxxxxx"
gpg: key 76A5EF9054449A5C: public key "Pierre Schmitz <pierre@xxxxxxxxxxxxx>" imported
gpg: key 7F2D434B9741E8AC: public key "Pierre Schmitz <pierre@xxxxxxxxxxxxx>" imported
gpg: Total number processed: 2
gpg:               imported: 2
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: no ultimately trusted keys found
gpg: Good signature from "Pierre Schmitz <pierre@xxxxxxxxxxxxx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C
• rocketmouse@archlinux /tmp/verification_demo 
$ echo $?
0


3.

• rocketmouse@archlinux /tmp/verification_demo 
$ pacman-key -v archlinux-2023.08.01-x86_64.iso.sig
==> Checking archlinux-2023.08.01-x86_64.iso.sig... (detached)
gpg: Signature made Tue 01 Aug 2023 14:19:49 CEST
gpg:                using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg:                issuer "pierre@xxxxxxxxxxxxx"
gpg: Note: trustdb not writable
gpg: Good signature from "Pierre Schmitz <pierre@xxxxxxxxxxxxx>" [full]
gpg:                 aka "Pierre Schmitz <pierre@xxxxxxxxxxxx>" [unknown]
• rocketmouse@archlinux /tmp/verification_demo 
$ echo $?
0


Regards,
Ralf