I downloaded ubuntu-mate-20.04.2.0-desktop-amd64.iso and wanted to verify its checksum. So, I downloaded both SHA256SUMS.gpg and SHA256SUMS files. I have already "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" on my key ring. But when running
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
I got the following result:
gpg: Signature made Thu Feb 11 22:01:40 2021 MSK
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
Hash checks out for me.
Maybe the file got corrupted or where you download it the hash isn't updated or something.
Try downloading from https://ubuntu-mate.org/download/amd64/focal/ instead.
Well, how do you know the hash is correct and the ISO image is not compromised? That's what the GPG signature is for. And failed GPG signature verification is a major reason for concern.
The link you gave has in turn "Direct Download" link which points exactly to the place I specified.
Good spot on the date. I would guess Canonical (a human or bot) didn't sign the updated checksum for this flavour for some reason - the other flavours seem just fine.
Thanks for pointing out this issue. Apologies that you experienced this, but there does not seem to be any issues with the ISO but it's concerning that this occurred.
I've created a report with the Ubuntu CD Image team to get the proper .gpg key posted. I'll update the forum posting as well as the GitHub issue you opened with details.