Hi.
I have a question about verifying the download files for Tampering.
I downloaded the ubuntu-mate-20.04.1-desktop-amd64.iso file from https://ubuntu-mate.org/download/amd64/focal/ and when i checked the .iso file for Corruption, it matched with the public checksum as given on the download page as well as in the file SHA256SUMS that i tried to verify for tampering in the next step.
i didnt got the same RSA keys as on the https://ubuntu-mate.org/faq/verify-download-secure/ website.
By verifying the SHA256SUMS.gpg and SHA256SUMS files for tampering with the command
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
i got this as a result.
(its german but hopefully it makes sense with the numbers : )
gpg: Signatur vom Do 06 Aug 2020 17:14:42 CEST
gpg: mittels RSA-Schlüssel 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Korrekte Signatur von "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
My result is the second Primary key fingerprint, given from the websites verfication text, as an RSA-key, plus the Fingerprint with spaces inbetween below. And the Date is also a different one than on the public website.
I tried a few different Mirrors but always got the same result.
Is this something i should worry about or can i use it without any concerns?
Meanwhile;
I loaded it onto my old Laptop and afterwards i tried to install ArchLinux from an installation Disc i burned from .iso file, which i downloaded from the https://www.archlinux.org/download/ website.
In this instance both values in the md5sums.txt and sha1sums.txtfiles matched with the .iso file.
And the .iso.sig file given from the same download folder also matched with one of the Developers Fingerprints on the https://www.archlinux.org/people/developers/ website.
Even the signature date matched.
But for some reason when i tried to install Archlinux, with the already installed ubuntu-mate-20.04.1-desktop-amd64.iso file i mentioned before which i tried to properly verify, i got a message when booting up, that the file (archlinux..) is not safe, and when i checked the Boot menu i found out that the message showed up because of the saved keys in the Bootmenu from the installed ubuntu-mate-20.04.1-desktop-amd64.iso file.
Would be nice if someone can tell me if the Ubuntu Mate file is safe to use or not.
Im just wandering because before i installed the Ubuntu MATE distribution on my old laptop,
i had Linux Mint on it and by verifying the Linux Mint .iso file, i also hat matches in the checksum, .iso file, fingerprint and the Signature Date. (given on the Official website as well as in the downloaded files to verify)
And when i watch the system monitor on the running Ubuntu Mate, every few second i see a spike at incoming and outgoing data on the Network monitor without me doing something online.
I`m looking foreward hearing from you guys.
Thanks in advance.
Greetings,
Paul