Developer Signing Key

Ambitious · March 13, 2025, 5:13pm

Upon downloading cachyos iso i stumbled across the option to also download a sha checksum and a .sig file.
I need the developers signing key to be able and verify the downloaded iso with the .sig file, but i couldn’t find a singingkey. Can you share it with me if there is one…?

I’m using Kleopatra and GPG4win to verify file signatures, so i tried:
gpg --keyserver hkps://keys.openpgp.org --recv-key F3B607488DB35A47
in powershell, but it returned:
gpg: keyserver receive failed: No keyserver available

mithrial · March 13, 2025, 8:00pm

Gpg4win does not support hkps.

naim · March 14, 2025, 2:33am

Try using keyserver.ubuntu.com or pgp.mit.edu as the keyserver.

Ambitious · March 14, 2025, 6:58am

Is there no direct download for the singingkey on cachyos-website? Why?

PS C:\Windows\system32> gpg --keyserver hkps://pgp.mit.edu --recv-key F3B607488DB35A47
gpg: key F3B607488DB35A47: public key “CachyOS admin@cachyos.org” imported
gpg: Total number processed: 1
gpg: imported: 1

Ambitious · March 14, 2025, 7:54am

Used cachyos-desktop-linux-250202.iso.sig to verify integrity of cachyos-desktop-linux-250202.iso but the verification with kleopatra failed.
Likely because no signingkey is imported to kleopatra/gpg4win.
I did import the key via powershell as stated in my previous comment, however seems like that doesn’t help the verification method i’m using.

Ambitious · March 14, 2025, 8:00am

To be honest a direct download for the signingkey would make things alot easier.

Ambitious · March 14, 2025, 10:33am

VeraCrypt managed to provide their signing key directly on their website, including key fingerprint for comparison.

https://veracrypt.fr/en/Downloads.html
https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

Same goes for Gpg4win.

https://www.gpg4win.org/package-integrity.html
https://gnupg.org/signature_key.html

And Mullvadvpn.

https://mullvad.net/en/open-source
https://mullvad.net/en/help/verifying-signatures
https://mullvad.net/media/mullvad-code-signing.asc
https://mullvad.net/static/gpg/mullvad-code-signing.asc

Aswell as the tor browser.

https://support.torproject.org/tbb/how-to-verify-signature/
https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf
https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

Would be nice if cachy can catch up to the standard of offering a singingkey, otherwise why is there a signature file available for download.
I’m not familiar with the process in powershell, i did import the key that way but no further instructions to be found.

Ambitious · March 15, 2025, 7:00am

No reply. Hm. Ok.

mithrial · March 15, 2025, 9:17pm

It’s written there that the file signature is in fact created by the correct key. What is the problem you are facing?

Also, this is not a chat. Please give people time to read and understand your posts, and then let them formulate an answer.