bad signature then good signature

while downloading the whonix images and signautre, the .asc file completed but the .xz was still downloading

i tried to run gpg --verify Whonix*.asc and I got the “bad signature”, but it shows that it was signed by hulahoop and the time and everything.

when the download for .xz finished i ran gpg --verify again and I got good signature.

is this correct? or did I download malware that changes pgp keys?

It’s fine. The download wasn’t finished yet so it couldn’t verify it properly.

1 Like

thanks boss. that is what i figured i just wanted to double check with the experts