History :
Hello, so far I have no server (it is a x86_64 desktop, but this information is not needed for my question).
I would like to install Yunohost but before that, I would like to check the integrity of the .iso file. I know how to check sha256sum, but I don’t know how to use the .sig file.
Please find what I have tried :
gpg --verify yunohost-buster-4.1.8-amd64-stable.iso.sig yunohost-buster-4.1.8-amd64-stable.iso
gpg: Signature faite le mar. 04 mai 2021 21:10:07 CEST
gpg: avec la clef RSA 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Impossible de vérifier la signature : Pas de clef publique
I think I need the public key (maybe located here) but I don’t know how to add it in my computer (I am on Debian Bullseye).
Question :
How to proceed please (what are the steps/commands to check the integrity file) ?
You can also speak french if you want to. Thank you very much for your kind help.
Then I have added the repository key with the following command :
gpg -a --export 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Now, if I check the integrity, I can read the following :
gpg --verify yunohost-buster-4.1.8-amd64-stable.iso.sig yunohost-buster-4.1.8-amd64-stable.iso
gpg: Signature faite le mar. 04 mai 2021 21:10:07 CEST
gpg: avec la clef RSA 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Bonne signature de « YunoHost <build@yunohost.org> » [inconnu]
gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
gpg: Rien n'indique que la signature appartient à son propriétaire.
Empreinte de clef principale : 1904 C5B4 2E48 56DC D4E9 CF96 360A AF32 59A3 E6FF
Meaning that it works.
However, as you can see, it is said that apt-key is deprecated, therefore, do you know a better way to check integrity ?
Also, as said in the linked thread, a member suggest to do :
I suggest to decide the best way to check integrity and add it to the Documentation because as Yunohost is a self hosted server, so some people may want to trust the .iso file first.