I just downloaded ubuntu-mate-18.04.3-desktop-amd64.iso but for some reason I get an error message while trying to verify the iso by following the instructions from https://ubuntu-mate.org/how-to-verify-downloads/
When I run the command:
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
I get the following output:
gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST
gpgv: using DSA key 46181433FBB75451
gpgv: Can't check signature: No public key
gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST
gpgv: using RSA key D94AA3F0EFE21092
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"
So what I do not understand is what does the 'Can't check signature: No public key' means?
I also noted, that if I click the SHA256SUMS.gpg with the right mousebutton, it is possible to "Open with Verify Signature". I did this and was informed, that signature is not found from keyring.
I tried to google around, and found https://help.ubuntu.com/community/VerifyIsoHowto but following those instructions only made me more confused as I got a totally different output from the commands compared to the ones on the howto. What I got is this:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: 2 duplicate signatures removed
gpg: key D94AA3F0EFE21092: 59 signatures not checked due to missing keys
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" imported
gpg: key 46181433FBB75451: 2 duplicate signatures removed
gpg: key 46181433FBB75451: 106 signatures not checked due to missing keys
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: imported: 2
gpg --keyid-format long --list-keys --with-fingerprint 0x46181433FBB75451 0xD94AA3F0EFE21092
pub rsa4096/D94AA3F0EFE21092 2012-05-11 [SC]
Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) [email protected]
pub dsa1024/46181433FBB75451 2004-12-30 [SC]
Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
uid [ unknown] Ubuntu CD Image Automatic Signing Key [email protected]
After all this the output of gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS is the same as it was at the beginning, but the "open with Verify Signature" now states that "SHA256SUMS: Untrusted Valid signature. Valid but untrusted signature by Ubuntu CD Image Automatic Signing Key".
Ok, I guess that makes sense, but what I still do not understand is that, this is not the first time I have checked signature with gpgv while have downloaded an iso. I usually save the output of the check to a text file, and just dug up the last time I did this same thing, about a year ago, then while I had downloaded ubuntu-mate-16.04.4-desktop-amd64.iso. Back then the output was this:
nick@mycomputer:~/Downloads$ gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
gpgv: Signature made to 1. maaliskuuta 2018 21.44.02 EET using DSA key ID FBB75451
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key [email protected]"
gpgv: Signature made to 1. maaliskuuta 2018 21.44.02 EET using RSA key ID EFE21092
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"
nick@mycomputer:~/Downloads$ grep ubuntu-mate-16.04.4-desktop-amd64.iso SHA256SUMS | sha256sum --check
ubuntu-mate-16.04.4-desktop-amd64.iso: OK
So back then, I got two "Good" signatures and there was no problems regarding "Can't check signature". And because of this I am now unable to understand why in the past I always got no errors and now suddenly there is an error message, although I am doing the exact same thing? I guess it is nothing to be concerned about, but I do not still quite understand what has changed and what causes this difference in the output compared to the same thing done earlier?
Elephant in room moment please?
Your main focus IMHO is to check your download is correct and sha256sum should suffice.
Now looking at your top post OP you had a good signature and your last post seem to anxious that you had can't check result even tho the cd image had a correct image......do we agree?
OK so using the linuxchick link at section Using Keys -- Import a Public Key
You will see it suggests you check your current keys and I noticed you had maybe 50 signatures from various downloads? keys not checked.
Since you already know your download is correct, if you want to, and I do not care either way as your problem is not a problem.....your download is already correct.
......you could clean up your keys by killing that dir and on new download start afresh.
actually you may be keeping your home dir from other distro builds?
Thats just a wild stab in dark of no concern to me, but I always do a clean install with home as sub-folder to / rather than a separate partition as I use
fsarchiver to image my entire partition.....keeping only some files in a data partition with an independent back up.
if interested in brute force clean up rm -rf .gnupg gpg --list-keys
gpg: directory '/home/gordon/.gnupg' created
gpg: keybox '/home/gordon/.gnupg/pubring.kbx' created
gpg: /home/gordon/.gnupg/trustdb.gpg: trustdb created
gpg --list-keys (NO HITS)
and then I would have to import a new key when I need to which I don't as I use sha256sum