Hello guys, I’m using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn’t verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I’m a bit worried about is there any malicious software such as keyloggers, mining softwares… Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?

  • lemmyreader
    link
    fedilink
    English
    66 months ago

    When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up.

    There’s two different things. The checksum and the GnuPG signature. If you used the GnuPG method to check the signature I can imagine you got a warning because of the GnuPG key owner trust and that’s actually expected behavior and should not worry you. Normally when you exchange GnuPG keys with a person in real life, you can compare key fingerprints and after that you would set the owner trust yourself for their key, but with downloaded iso images this is a different use case though if you really want you can set the owner trust to make the warning go away.

    • @bitahcoldOP
      link
      1
      edit-2
      6 months ago

      Oh, I didn’t know that. I just downloaded iso and iso.sig then used gpg commands. The thing I’m worried about is, maliciousy chance of the iso. I probably used German or French mirror to download the iso. Then, failed the verification. I am using unverificated iso’s Arch Linux now. Can I know if I had any tracker, keylogger or mining software etc. ? Usage is normal and smooth as how it have to be. But idk… Just worried. I still have the same bootable USB that the iso was extracted into. I have a FreeDOS unnecessary PC. Can I verificate the bootable by executing any verification command while I’m at the installation process? Or, can I verify or check my operating system’s originality at post-installation era of my main PC? Thanks for comment.

      • lemmyreader
        link
        fedilink
        English
        16 months ago

        Oh, I didn’t know that. I just downloaded iso and iso.sig then used gpg commands. The thing I’m worried about is, maliciousy chance of the iso. I probably used German or French mirror to download the iso. Then, failed the verification.

        Suggesting the following for the archlinux-2024.05.01-x86_64.iso :

        • Put your downloaded iso file and the sig file in ~/Downloads/ if you haven’t done so.
        • From your Arch Linux installation install the Sequoia sq tool : sudo pacman -S sequoia-sq
        • Continue with the following commands : cd ~/Downloads
        • sq network wkd fetch pierre@archlinux.org -o release-key.pgp
        • sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso

        This should unlike with the GnuPG method give no warnings or errors.

        • @bitahcoldOP
          link
          1
          edit-2
          6 months ago

          So sorry for labor. There is a lacking information by me. I created the bootable at my previous OS, so there is no same .iso file. Only extracted version on my USB and installed version that is running on my PC. Can I see the mirror source from the extracted version?

          • lemmyreader
            link
            fedilink
            English
            16 months ago

            Like the other commenter said you are probably fine. If you still worry, backup your /home and go for a fresh install and restore /home.

            • @bitahcoldOP
              link
              16 months ago

              Better guarantee it haha. I did nothing except using unnecessary documents and surfing on the net. And maybe some games. I used archinstall for it but now, I will set it up customized and nonscript. Maybe fresh restart would be better. Thanks for the help again. Goodbye!