Question: Should i also verify full ‘Primary key fingerprint’ ?
Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9
CF96 360A AF32 59A3 E6FF
Also sharing my verification steps since i found not much info, if it helps others
Verifying Iso file, this is what i did:
A) Verify signatures
$ gpg --import yunohost.asc
gpg: key 360AAF3259A3E6FF: "YunoHost
<build@yunohost.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$ gpg --verify yunohost-bullseye-11.0.9-amd64-stable.iso.sig
gpg: assuming signed data in 'yunohost-bullseye-11.0.9-
amd64-stable.iso'
gpg: Signature made Mon 08 Aug 2022 07:01:22 AM EDT
gpg: using RSA key
1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Good signature from "YunoHost
<build@yunohost.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted
signature!
gpg: There is no indication that the signature v
belongs to the owner.
Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9
CF96 360A AF32 59A3 E6FF
B) Verify Checksum
Once the signed images are found to be valid i used 'GtkHash’ checksum linux utility/app to extract sha256sum from Yunohost Iso & compare it to the Yunohost ‘Checksum’ file [*save link as is usually recommended over direct download ]