EDIT: I have made some progress, but to avoid double-posting, I am adding it here. See my original post below, and then the update. Thanks for your time!
This text will be hidden
Hey, everyone. Been doing a lot of reading, but new to GPG and struggling to figure out how to verify the PureOS iso I downloaded. Would appreciate any help on what to fix in my process. Here’s what I’ve done so far:
Checked that the iso I downloaded matches the sha256 sum given on the download page.
Went to the github page and downloaded the keys.
Checked that the md5 given in md5sums.txt matches the md5 generated from pureos-archive-keyring.gpg. It does.
Now I’m lost at this step and unsure how to connect steps 1 with 2 and 3. Do I use the gpg file to verify the iso? I tried running the following:
gpg --verify pureos-archive-keyring.gpg pureos-8.0-live-amd64.hybrid.iso
but this gives me the following error message:
gpg: verify signatures failed: Unexpected error
I’m probably just missing something obvious here. Would really appreciate anyone’s time in helping me out/directing me to other resources.
Update: it seems that what I have is the PureOS keyring, but nothing to verify it with. I eventually found the https://downloads.puri.sm/ URL, which, under snapshots, gives me an actual file with the sha256 sums (as opposed to them being displayed on the other downloads page). I thought I might be able to use the keyring to verify this file, but again, I get an error.
I’m starting to second-guess myself, but I am correct to think that I should be able to verify with GPG the checksums I used to verify the iso, right?