A Blog by Expatriotic

Verify Downloads with Linux (Easily)

Downloading an ISO or software application? You have the file, but how do you know it hasn't been tampered with or corrupted?

Developers rarely explain how to verify their files. They just dump an .iso, a .sig, and maybe a .sha256 file on the page and wish you luck.

Here is how to figure it out, no matter what OS or software you are downloading.

Phase 1: Finding the developer's key (if they don't give it).

You cannot verify a signature if you don't have the developer's "Public Key" in your keyring. But how do you know which key to get if they don't list it on the website?

The Trick: Try to verify it before you have the key. The error message will tell you exactly what you need.

  1. Download the files: Get the Installer (.iso) and the Signature (.sig or .asc).

  2. Run the verify command blindly:

    gpg --verify manjaro.iso.sig manjaro.iso

  3. Read the Error: You will see an error like this:

    gpg: Can't check signature: No public key: 11C7F07E

    That code at the end (11C7F07E) is the developer's ID card number.

  4. Fetch that specific key: Now ask the global keyserver for that ID:

    gpg --keyserver keyserver.ubuntu.com --recv-keys 11C7F07E

  5. Sanity Check (Crucial): Copy that ID (11C7F07E) and Google it (e.g., "Manjaro key 11C7F07E"). You should see results from the official project website, GitHub, or GitLab confirming that key belongs to a lead developer (like Philip Müller).

Now you are ready to verify.

Phase 2: The Verification Protocol

Software verification usually comes in two flavors. Look at the files you downloaded to decide which method to use.

Method A: The "Manifest" List (Ubuntu, Fedora, Mint)

Use this if you downloaded a text file called SHA256SUMS and a signature called SHA256SUMS.gpg.

In this method, the developer signs a list of files. We verify the list is authentic, then verify our file is on that list.

  1. Verify the List:
    # Syntax: gpg --verify [SIGNATURE_FILE] [MANIFEST_FILE]
gpg --verify SHA256SUMS.gpg SHA256SUMS
    • Result: Look for Good signature.
  2. Verify your ISO: Now check that your ISO matches the hash in that trusted list:
    # Linux/Windows Git Bash
sha256sum -c SHA256SUMS 2>&1 | grep OK

Method B: The "Direct" Signature (Manjaro, Arch, Tails)

Use this if you downloaded an .iso and a .iso.sig (or .asc) file.

In this method, the developer signs the image file directly.

  1. Verify the ISO: Run the verify command pointing at both the signature and the ISO:
    # Syntax: gpg --verify [SIGNATURE_FILE] [ISO_FILE]
gpg --verify manjaro-linux.iso.sig manjaro-linux.iso
    • Good signature: The file is authentic.
    • BAD signature: The file is tampered with. Delete it.
    • ⚠️ "Not certified with a trusted signature": This is normal. It just means you haven't met the developer in person. As long as it says "Good signature" and you Googled the Key ID in Phase 1, you are safe.

Phase 3: The "Easy Mode" (Sparrow Wallet)

If the command line scares you, use Sparrow Desktop Wallet. It has a tool built-in that handles the complex GPG logic for you.

  1. Open Sparrow and go to Tools -> Verifier.
  2. Identify your files:
    • Method A (Ubuntu): Upload SHA256SUMS as the "Message" and SHA256SUMS.gpg as the "Signature."
    • Method B (Manjaro): Upload the .iso as the "Message" and the .iso.sig as the "Signature."
  3. Click Verify.
    • Sparrow will automatically fetch the keys and tell you if the file is safe (Green Check) or dangerous (Red X).

#guides #linux #tech