Mageia forum

[griffin]

The Mageia release ISO files include md5 and sha1 checksum files, and also md5.gpg and sha1.gpg checksum gpg files. When I try to verify the x86-64 DVD ISO file with the command "gpg -verify Mageia-3-x86_64-DVD.iso.md5.gpg", I receive the error message "public key not found".

A search of the Mageia website and this forum didn't turn up any gpg public key(s) for Mageia.

However, I found some at pgp.mit.edu and used the command "gpg --recv-keys 41BCD9E7 DA10B483 80420F66 pgp.mit.edu" to retrieve and import them.

But these apparently aren't the right keys, because I still get the "public key not found" error when I try to verify the ISO.

What is the key ID of the Mageia public key used to sign the Mageia release ISO files?

Shouldn't this Magia release public key be made easily available, or even placed into the gpg keyring of the root user during Mageia installation?

[jkerr82508]

The gpg file provides a signed version of the md5sum not of the iso.

To find the key used:

Code: Select all

gpg -d Mageia-3-x86_64-DVD.iso.md5.gpg
16547c7c1f933322122820468aa91e14  Mageia-3-x86_64-DVD.iso
gpg: Signature made Fri 07 Jun 2013 23:38:48 IST using RSA key ID EDCA7A90

after downloading and importing the key 0xEDCA7A90

Code: Select all

gpg Mageia-3-x86_64-DVD.iso.md5.gpg
File `Mageia-3-x86_64-DVD.iso.md5' exists. Overwrite? (y/N) y
gpg: Signature made Fri 07 Jun 2013 23:38:48 IST using RSA key ID EDCA7A90
gpg: Good signature from "Mageia Release <...@mageia.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B210 76A0 CBE4 D93D 66A9  D08D 835E 41F4 EDCA 7A90


Then to check the iso file, provided it is in the same directory:

Code: Select all

md5sum -c Mageia-3-x86_64-DVD.iso.md5

Jim