Hello guys, I’m using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn’t verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I’m a bit worried about is there any malicious software such as keyloggers, mining softwares… Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?
Suggesting the following for the archlinux-2024.05.01-x86_64.iso :
sudo pacman -S sequoia-sq
cd ~/Downloads
sq network wkd fetch pierre@archlinux.org -o release-key.pgp
sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso
This should unlike with the GnuPG method give no warnings or errors.
So sorry for labor. There is a lacking information by me. I created the bootable at my previous OS, so there is no same .iso file. Only extracted version on my USB and installed version that is running on my PC. Can I see the mirror source from the extracted version?
Like the other commenter said you are probably fine. If you still worry, backup your /home and go for a fresh install and restore /home.
Using a theoretically backdoored OS to verify anything is pointless.
The backdoored OS can just bypass the checks.
https://wiki.c2.com/?TheKenThompsonHack