SHA256SUMS.gpg: bad signature

Hi!

I downloaded ubuntu-mate-20.04.2.0-desktop-amd64.iso and wanted to verify its checksum. So, I downloaded both SHA256SUMS.gpg and SHA256SUMS files. I have already "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" on my key ring. But when running

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

I got the following result:

gpg: Signature made Thu Feb 11 22:01:40 2021 MSK
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]

And the files at https://cdimage.ubuntu.com/ubuntu-mate/releases/20.04/release/ look like this (note the date):

Something definitely wrong is here.

4 Likes

Hash checks out for me.
Maybe the file got corrupted or where you download it the hash isn't updated or something.
Try downloading from https://ubuntu-mate.org/download/amd64/focal/ instead.

Well, how do you know the hash is correct and the ISO image is not compromised? That's what the GPG signature is for. And failed GPG signature verification is a major reason for concern.

The link you gave has in turn "Direct Download" link which points exactly to the place I specified.

Probably such an issue is better to be reported to maintainers or developers, so I opened an issue here:

3 Likes

I recall the 20.04.2 ISOs had to be regenerated around that time due to a bug in the OEM installer:

https://wiki.ubuntu.com/FocalFossa/ReleaseNotes/ChangeSummary/20.04.2#A20.04.2.0_hotfix_bug_fixes

Good spot on the date. I would guess Canonical (a human or bot) didn't sign the updated checksum for this flavour for some reason - the other flavours seem just fine. :slightly_frowning_face:

3 Likes

Thanks for pointing out this issue. Apologies that you experienced this, but there does not seem to be any issues with the ISO but it's concerning that this occurred.

I've created a report with the Ubuntu CD Image team to get the proper .gpg key posted. I'll update the forum posting as well as the GitHub issue you opened with details.

2 Likes

@xanderdin the .gpg key has been updated.

Thanks again for letting us know.

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Fri 09 Apr 2021 04:09:29 PM MDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"

4 Likes

Great! Thank you, too!

It seems I misunderstood you. The link I gave you gives a key and a download that matches the key. Luckily it seems the problem got resolved.