Hi Γιώργος, On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote: > Hi! :-) > > I just downloaded the minimal installation ISO and I was trying the > verification instructions. > I admit that I'm not any kind of gpg expert, so the results are > somewhat confusing to me. > Can someone shed some light on them? > > Here's console's output: > >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc > > gpg: Signature made Tue Dec 22 17:01:06 2020 EET > gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D > gpg: Good signature from "Gentoo Linux Release Engineering (Automated > Weekly Release Key) <rel...@gentoo.org>" [unknown]
This is telling you the 'install-amd64- minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the various files listed in it, has a valid signature - i.e. the hashes of these files have not been tampered with and they have been signed by the owner of the Gentoo Release Engineering key. Have a look here for the published developer keys: https://wiki.gentoo.org/wiki/Project:RelEng > gpg: WARNING: This key is not certified with a trusted signature! This is telling you the above public key has not been marked as trusted in your own gpg keyring. > gpg: There is no indication that the signature belongs to the > owner. This is to be expected, unless you have checked the fingerprint of the imported key yourself against the keys published in the URL I provided above and thereafter edited the key's level of trust to mark it as trusted in your gpg keyring; e.g. you'd need to run: gpg --edit-key <KEY ID> and follow the options available for this gpg subcommand to edit the key's trust level. This is not necessary for a key you'll only use once, as long as you satisfy yourself the key fingerprint below matches what is published on the RelEng project page. > Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E > 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 > 043D gpg: WARNING: not a detached signature; file > 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified! > > and: > >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc > > install-amd64-minimal-20201222T005811Z.iso: OK > install-amd64-minimal-20201222T005811Z.iso: FAILED > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED > sha512sum: WARNING: 14 lines are improperly formatted > sha512sum: WARNING: 2 computed checksums did NOT match > > > TIA! :-) > Giorgos. > . So the above output checked the sha512 hashes of all listed files and found some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso' for your installation. The failed checks above refer to a different hash e.g. sha256. HTH.
signature.asc
Description: This is a digitally signed message part.