Hello guys,
I'm using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn't verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I'm a bit worried about is there any malicious software such as keyloggers, mining softwares... Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?
There's two different things. The checksum and the GnuPG signature. If you used the GnuPG method to check the signature I can imagine you got a warning because of the GnuPG key owner trust and that's actually expected behavior and should not worry you. Normally when you exchange GnuPG keys with a person in real life, you can compare key fingerprints and after that you would set the owner trust yourself for their key, but with downloaded iso images this is a different use case though if you really want you can set the owner trust to make the warning go away.