Problem with verifying iso-file with gpgv - No public key?

ibetired · 13 October 2019 13:43

I just downloaded ubuntu-mate-18.04.3-desktop-amd64.iso but for some reason I get an error message while trying to verify the iso by following the instructions from https://ubuntu-mate.org/how-to-verify-downloads/

When I run the command:
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS

I get the following output:
gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST gpgv: using DSA key 46181433FBB75451 gpgv: Can't check signature: No public key gpgv: Signature made to 8. elokuuta 2019 15.38.32 EEST gpgv: using RSA key D94AA3F0EFE21092 gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"

So what I do not understand is what does the 'Can't check signature: No public key' means?

I also noted, that if I click the SHA256SUMS.gpg with the right mousebutton, it is possible to "Open with Verify Signature". I did this and was informed, that signature is not found from keyring.

I tried to google around, and found https://help.ubuntu.com/community/VerifyIsoHowto but following those instructions only made me more confused as I got a totally different output from the commands compared to the ones on the howto. What I got is this:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092 gpg: key D94AA3F0EFE21092: 2 duplicate signatures removed gpg: key D94AA3F0EFE21092: 59 signatures not checked due to missing keys gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" imported gpg: key 46181433FBB75451: 2 duplicate signatures removed gpg: key 46181433FBB75451: 106 signatures not checked due to missing keys gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key [email protected]" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 gpg --keyid-format long --list-keys --with-fingerprint 0x46181433FBB75451 0xD94AA3F0EFE21092 pub rsa4096/D94AA3F0EFE21092 2012-05-11 [SC] Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) [email protected] pub dsa1024/46181433FBB75451 2004-12-30 [SC] Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451 uid [ unknown] Ubuntu CD Image Automatic Signing Key [email protected]

After all this the output of gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS is the same as it was at the beginning, but the "open with Verify Signature" now states that "SHA256SUMS: Untrusted Valid signature. Valid but untrusted signature by Ubuntu CD Image Automatic Signing Key".

Any ideas, what to do now?

aus9 · 14 October 2019 13:24

Hi

until you get a better reply you have done nothing wrong but may have got confused on what level of trust you as a end user are at.

signing keys and the like has more options to allow higher levels of trust which we do not need.

Let me give you some examples using your first link ok?

I am on a diff version so thats why I have a diff command

sudo apt-get install ubuntu-keyring
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
gpgv: Signature made Thu 18 Apr 2019 01:42:37 AWST
gpgv:                using DSA key 46181433FBB75451
gpgv: Can't check signature: No public key
gpgv: Signature made Thu 18 Apr 2019 01:42:37 AWST
gpgv:                using RSA key D94AA3F0EFE21092

gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"

so as per link good signature is all we need to know. End of query.

Ok lets pretend I need to go further

grep ubuntu-mate-19.04-desktop-amd64.iso SHA256SUMS | sha256sum --check
ubuntu-mate-19.04-desktop-amd64.iso: OK

OK lets pretend I need to go to infinity?

gpg --recv-keys --keyserver hkp://keyserver.ubuntu.com D94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: 2 duplicate signatures removed
gpg: key D94AA3F0EFE21092: 59 signatures not checked due to missing keys
gpg: /home/gordon/.gnupg/trustdb.gpg: trustdb created
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

Now as I am not a member of Ubuntu etc etc, there is no need for me to
go to a key signing party. So I should not go any further.

If interested this link may help
http://www.linuxchick.org/gpg/outline.html

ibetired · 19 October 2019 10:35

Ok, I guess that makes sense, but what I still do not understand is that, this is not the first time I have checked signature with gpgv while have downloaded an iso. I usually save the output of the check to a text file, and just dug up the last time I did this same thing, about a year ago, then while I had downloaded ubuntu-mate-16.04.4-desktop-amd64.iso. Back then the output was this:
nick@mycomputer:~/Downloads$ gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS gpgv: Signature made to 1. maaliskuuta 2018 21.44.02 EET using DSA key ID FBB75451 gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key [email protected]" gpgv: Signature made to 1. maaliskuuta 2018 21.44.02 EET using RSA key ID EFE21092 gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" nick@mycomputer:~/Downloads$ grep ubuntu-mate-16.04.4-desktop-amd64.iso SHA256SUMS | sha256sum --check ubuntu-mate-16.04.4-desktop-amd64.iso: OK

So back then, I got two "Good" signatures and there was no problems regarding "Can't check signature". And because of this I am now unable to understand why in the past I always got no errors and now suddenly there is an error message, although I am doing the exact same thing? I guess it is nothing to be concerned about, but I do not still quite understand what has changed and what causes this difference in the output compared to the same thing done earlier?

aus9 · 19 October 2019 11:34

Elephant in room moment please?
Your main focus IMHO is to check your download is correct and sha256sum should suffice.

Now looking at your top post OP you had a good signature and your last post seem to anxious that you had can't check result even tho the cd image had a correct image......do we agree?

OK so using the linuxchick link at section
Using Keys -- Import a Public Key

You will see it suggests you check your current keys and I noticed you had maybe 50 signatures from various downloads? keys not checked.

I have only one so happy to share it

gpg --list-keys

/home/gordon/.gnupg/pubring.kbx (ignore bold)

pub rsa4096 2012-05-11 [SC]
843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) [email protected]

Since you already know your download is correct, if you want to, and I do not care either way as your problem is not a problem.....your download is already correct.
......you could clean up your keys by killing that dir and on new download start afresh.

actually you may be keeping your home dir from other distro builds?
Thats just a wild stab in dark of no concern to me, but I always do a clean install with home as sub-folder to / rather than a separate partition as I use
fsarchiver to image my entire partition.....keeping only some files in a data partition with an independent back up.

if interested in brute force clean up
rm -rf .gnupg
gpg --list-keys
gpg: directory '/home/gordon/.gnupg' created
gpg: keybox '/home/gordon/.gnupg/pubring.kbx' created
gpg: /home/gordon/.gnupg/trustdb.gpg: trustdb created
gpg --list-keys (NO HITS)

and then I would have to import a new key when I need to which I don't as I use sha256sum

Hope that makes your life easier