Iso verification: Should i also validate 'Primary key fingerprint'?

foss · May 12, 2023, 2:40am

Question: Should i also verify full ‘Primary key fingerprint’ ?

Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  
  CF96 360A AF32 59A3 E6FF

Also sharing my verification steps since i found not much info, if it helps others

Verifying Iso file, this is what i did:

A) Verify signatures

$ gpg --import yunohost.asc

  gpg: key 360AAF3259A3E6FF: "YunoHost 
  <build@yunohost.org>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1

$ gpg --verify yunohost-bullseye-11.0.9-amd64-stable.iso.sig

  gpg: assuming signed data in 'yunohost-bullseye-11.0.9- 
  amd64-stable.iso'
  gpg: Signature made Mon 08 Aug 2022 07:01:22 AM EDT
  gpg:                using RSA key 
  1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
  gpg: Good signature from "YunoHost 
  <build@yunohost.org>" [unknown]
  gpg: WARNING: This key is not certified with a trusted 
  signature!
  gpg:          There is no indication that the signature v 
  belongs to the owner.
  Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  
  CF96 360A AF32 59A3 E6FF

B) Verify Checksum

Once the signed images are found to be valid i used 'GtkHash’ checksum linux utility/app to extract sha256sum from Yunohost Iso & compare it to the Yunohost ‘Checksum’ file [*save link as is usually recommended over direct download ]

arthurlutz · May 15, 2023, 10:22am

Hi @foss thanks for taking the time to contributing your question and concerns.

Does the content on this forum post How to check integrity please answer your question ?

Where would you like to see more documentation about this verification process ?

system · May 30, 2023, 10:22am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.