-1

I try to follow the steps from https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview to verify ubuntu desktop but im having issues.

After i request the key from Ubuntu key server i inspect the fingerpring and get:

pub   rsa4096 2012-05-11 [SC]

8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

I dont know why it says unknow.

And when i try to verify SHA256 checksum i get:

gpg: Signature made Thu Feb 22 12:31:40 2024 -03
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]

What could be the issue?

Improve this question

1 Answer 1

Reset to default
1

Before you begin, delete your existing SHA256SUMS.gpg and SHA256SUMS files. Download these files again, and then verify if they're good.

First, use wget to get the files from the Ubuntu download page (this one is for 24.04):
wget http://releases.ubuntu.com/24.04/SHA256SUMS.gpg
wget http://releases.ubuntu.com/24.04/SHA256SUMS
Next, run the authentication command:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Then, if you didn't have the key before, it should've said:

gpg: Signature made Thu 25 Apr 2024 01:26:32 PM EDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
So you would use the following command to request the key, along with the RSA key shown as the result of the previous command:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 843938DF228D22F7B3742BC0D94AA3F0EFE21092
After you request the key, inspect the key using the following command:
gpg --keyid-format long --list-keys --with-fingerprint 843938DF228D22F7B3742BC0D94AA3F0EFE21092

And it should say the following:

pub   rsa4096/D94AA3F0EFE21092 2012-05-11 [SC]
      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid                 [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>
Finally, run the following command to verify your downloaded keys:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

and it should report the following:

gpg: Signature made Thu 25 Apr 2024 01:26:32 PM EDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

The "warning" and "untrusted" you have seen have nothing to do with a bad signature. You should still get a good signature if the signature is good. You can read more about that here but it's not necessary to fix the issue because it's simply a warning, not an error or a bad signature.

Improve this answer
1
  • Thanks, ill try that.
    – Xxale137xX
    Commented Jun 4 at 21:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .