this post was submitted on 21 May 2024
7 points (88.9% liked)

Arch Linux

7739 readers
1 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
[email protected]
7
ISO verification (lemmy.world)
submitted 5 months ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments
 

Hello guys, I'm using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn't verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I'm a bit worried about is there any malicious software such as keyloggers, mining softwares... Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 5 months ago

When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up.

There's two different things. The checksum and the GnuPG signature. If you used the GnuPG method to check the signature I can imagine you got a warning because of the GnuPG key owner trust and that's actually expected behavior and should not worry you. Normally when you exchange GnuPG keys with a person in real life, you can compare key fingerprints and after that you would set the owner trust yourself for their key, but with downloaded iso images this is a different use case though if you really want you can set the owner trust to make the warning go away.

[–] [email protected] 4 points 5 months ago (1 children)

Just verify the iso you downloaded. If the signature is correct, the iso is safe.

You can simply $ sha256sum the iso file and verify.

But honestly, you're probably safe. I wouldn't be worried in your place.

[–] [email protected] 1 points 5 months ago

I did download and set the bootable at my previous OS, Fedora. Now the iso is not reachable and I forgot the mirror that I downloaded from. I still have the usb card I used for installation. Can I do any verification over it? Thanks for reply and relaxing info.

[–] [email protected] 0 points 5 months ago (1 children)

Should you trust something that failed verification? No. That's the whole point. It's not what you think it is.

[–] [email protected] -1 points 5 months ago

I mean fail as error. Like, I did something wrong at commands. I haven't verificated the iso about its valid or not. That's the thing I'm worried about. I asked can I verify with other ways without the iso. But I decided to do clean re-install. Thanks for comment. Goodbye.