I have managed to check the file by following this thread, but I need confirmation about the method :
I have imported the key according to the above reference :
gpg --keyserver pgpkeys.mit.edu --recv-key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: clef 360AAF3259A3E6FF : clef publique « YunoHost <build@yunohost.org> » importée
gpg: Quantité totale traitée : 1
gpg: importées : 1
Then I have added the repository key with the following command :
gpg -a --export 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Now, if I check the integrity, I can read the following :
gpg --verify yunohost-buster-4.1.8-amd64-stable.iso.sig yunohost-buster-4.1.8-amd64-stable.iso
gpg: Signature faite le mar. 04 mai 2021 21:10:07 CEST
gpg: avec la clef RSA 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Bonne signature de « YunoHost <build@yunohost.org> » [inconnu]
gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
gpg: Rien n'indique que la signature appartient à son propriétaire.
Empreinte de clef principale : 1904 C5B4 2E48 56DC D4E9 CF96 360A AF32 59A3 E6FF
Meaning that it works.
However, as you can see, it is said that apt-key is deprecated, therefore, do you know a better way to check integrity ?
Also, as said in the linked thread, a member suggest to do :
sudo aptitude install debian-keyring debian-archive-keyring
What do you think ?
I suggest to decide the best way to check integrity and add it to the Documentation because as Yunohost is a self hosted server, so some people may want to trust the .iso file first.
Thank you very much.