A Question About Verifying The Downloaded ISO File With GPG

Hi!

I downloaded the last Ubuntu MATE release, 20.04 Focal Fossa, some weeks ago and just right now I am able to install it in my machine. I downloaded the ISO from the Ubuntu MATE website and today I did all the checks to see if the ISO file is not corrupt and/or tampered with.

I ran all the checks listed on the "Verifying For Corrupt" and "Verifying For Tampering" pages. I got no issues when verifying for corrupt, but I think I got a problem when I verified for tampering. This is my terminal output after running this command:

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Just one note: The files SHA256SUMS.gpg and SHA256SUMS I got from this URL:

cdimage.ubuntu . com/ubuntu-mate/releases/

The URL provided on the "Verifying For Tampering" is (note the cdimageS instead of cdimage):

cdimages.ubuntu. com/ubuntu-mate/releases/

And I couldn't access it! My browser said it was down! But I hope the SHA256SUMS.gpg SHA256SUMS are the same. Let me know if there is any problem about downloading those files from the URL I mentioned.

Well, the output for the command:

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Was this:

gpg: Signature made Qui 23 Abr 2020 10:35:29 -03
gpg: using RSA key D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu. com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092

I got just one line with "Good signature" but in the "Verifying For Tampering" page, the output listed there has two lines with "Good signature". See:

Is that a problem? Should I have got the same two lines or is it OK with just one? Did I do anything wrong?

Thank you!

Marcelo

This is fine, you just have one of the two keys:

RSA key D94AA3F0EFE21092

Try running step 2 to retrieve the other key, if you want. Things are good as the SHA256SUM file has a good signature and your ISO verification from this file is OK.

Obviously, the WARNING output afterwards is harmless:

The “key is not certified” message is simply because you haven’t explicitly told GnuPG to trust this key. This is optional. You can learn more about GnuPG on the wiki page.

4 Likes