Verifying GPG Signatures
% gpg --keyserver-options auto-key-retrieve --verify archlinux-2025.02.01-x86_64.iso.sig archlinux-2025.02.01-x86_64.iso.2
gpg: Signature made 六 2/ 1 16:31:26 2025 CST
gpg: using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg: aka "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C
The signature on the file archlinux-2025.02.01-x86_64.iso is valid and was created by a key associated with “Pierre Schmitz”. However, GPG is warning you that it cannot verify that the key actually belongs to “Pierre Schmitz” because the key’s User ID is not certified with a trusted signature. This means you should exercise caution and consider verifying the key through other means if you need to ensure the authenticity of the file.