How to check integrity please

History :
Hello, so far I have no server (it is a x86_64 desktop, but this information is not needed for my question).

I would like to install Yunohost but before that, I would like to check the integrity of the .iso file. I know how to check sha256sum, but I don’t know how to use the .sig file.

Please find what I have tried :

gpg --verify yunohost-buster-4.1.8-amd64-stable.iso.sig yunohost-buster-4.1.8-amd64-stable.iso
gpg: Signature faite le mar. 04 mai 2021 21:10:07 CEST
gpg:                avec la clef RSA 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Impossible de vérifier la signature : Pas de clef publique

I think I need the public key (maybe located here) but I don’t know how to add it in my computer (I am on Debian Bullseye).

Question :
How to proceed please (what are the steps/commands to check the integrity file) ?

You can also speak french if you want to. Thank you very much for your kind help.

I have managed to check the file by following this thread, but I need confirmation about the method :

I have imported the key according to the above reference :

gpg --keyserver pgpkeys.mit.edu --recv-key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: clef 360AAF3259A3E6FF : clef publique « YunoHost <build@yunohost.org> » importée
gpg:       Quantité totale traitée : 1
gpg:                     importées : 1

Then I have added the repository key with the following command :

gpg -a --export 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Now, if I check the integrity, I can read the following :

gpg --verify yunohost-buster-4.1.8-amd64-stable.iso.sig yunohost-buster-4.1.8-amd64-stable.iso
gpg: Signature faite le mar. 04 mai 2021 21:10:07 CEST
gpg:                avec la clef RSA 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Bonne signature de « YunoHost <build@yunohost.org> » [inconnu]
gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
gpg:             Rien n'indique que la signature appartient à son propriétaire.
Empreinte de clef principale : 1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF

Meaning that it works.

However, as you can see, it is said that apt-key is deprecated, therefore, do you know a better way to check integrity ?

Also, as said in the linked thread, a member suggest to do :

sudo aptitude install debian-keyring debian-archive-keyring

What do you think ?

I suggest to decide the best way to check integrity and add it to the Documentation because as Yunohost is a self hosted server, so some people may want to trust the .iso file first.

Thank you very much.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.