I just downloaded ubuntu-mate-18.04.3-desktop-amd64.iso but for some reason I get an error message while trying to verify the iso by following the instructions from https://ubuntu-mate.org/how-to-verify-downloads/
When I run the command:
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
I get the following output:
gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST
gpgv: using DSA key 46181433FBB75451
gpgv: Can't check signature: No public key
gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST
gpgv: using RSA key D94AA3F0EFE21092
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"
So what I do not understand is what does the 'Can't check signature: No public key' means?
I also noted, that if I click the SHA256SUMS.gpg with the right mousebutton, it is possible to "Open with Verify Signature". I did this and was informed, that signature is not found from keyring.
I tried to google around, and found https://help.ubuntu.com/community/VerifyIsoHowto but following those instructions only made me more confused as I got a totally different output from the commands compared to the ones on the howto. What I got is this:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: 2 duplicate signatures removed
gpg: key D94AA3F0EFE21092: 59 signatures not checked due to missing keys
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" imported
gpg: key 46181433FBB75451: 2 duplicate signatures removed
gpg: key 46181433FBB75451: 106 signatures not checked due to missing keys
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: imported: 2
gpg --keyid-format long --list-keys --with-fingerprint 0x46181433FBB75451 0xD94AA3F0EFE21092
pub rsa4096/D94AA3F0EFE21092 2012-05-11 [SC]
Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) [email protected]
pub dsa1024/46181433FBB75451 2004-12-30 [SC]
Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
uid [ unknown] Ubuntu CD Image Automatic Signing Key [email protected]
After all this the output of gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS is the same as it was at the beginning, but the "open with Verify Signature" now states that "SHA256SUMS: Untrusted Valid signature. Valid but untrusted signature by Ubuntu CD Image Automatic Signing Key".
Any ideas, what to do now?