Hello guys, I’m using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn’t verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I’m a bit worried about is there any malicious software such as keyloggers, mining softwares… Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?
Just verify the iso you downloaded. If the signature is correct, the iso is safe.
You can simply
$ sha256sumthe iso file and verify.But honestly, you’re probably safe. I wouldn’t be worried in your place.
I did download and set the bootable at my previous OS, Fedora. Now the iso is not reachable and I forgot the mirror that I downloaded from. I still have the usb card I used for installation. Can I do any verification over it? Thanks for reply and relaxing info.
The sha256 only validates file integrity, it doesnt ensure legitimacy. A malicious actor would replace both the iso and the checksum at the same time.
Only the signature ensures legitimacy, but properly setting up the chain of trust is near impossible anyway without meeting face-to-face with the iso signer.