SHA256SUMS.gpg: bad signature

xanderdin · 7 April 2021 16:58

Hi!

I downloaded ubuntu-mate-20.04.2.0-desktop-amd64.iso and wanted to verify its checksum. So, I downloaded both SHA256SUMS.gpg and SHA256SUMS files. I have already "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" on my key ring. But when running

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

I got the following result:

gpg: Signature made Thu Feb 11 22:01:40 2021 MSK
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]

And the files at https://cdimage.ubuntu.com/ubuntu-mate/releases/20.04/release/ look like this (note the date):

Something definitely wrong is here.

kaasknak · 7 April 2021 20:35

Hash checks out for me.
Maybe the file got corrupted or where you download it the hash isn't updated or something.
Try downloading from https://ubuntu-mate.org/download/amd64/focal/ instead.

xanderdin · 7 April 2021 21:10

Well, how do you know the hash is correct and the ISO image is not compromised? That's what the GPG signature is for. And failed GPG signature verification is a major reason for concern.

The link you gave has in turn "Direct Download" link which points exactly to the place I specified.

xanderdin · 8 April 2021 17:23

Probably such an issue is better to be reported to maintainers or developers, so I opened an issue here:

lah7 · 8 April 2021 22:05

I recall the 20.04.2 ISOs had to be regenerated around that time due to a bug in the OEM installer:

https://wiki.ubuntu.com/FocalFossa/ReleaseNotes/ChangeSummary/20.04.2#A20.04.2.0_hotfix_bug_fixes

Good spot on the date. I would guess Canonical (a human or bot) didn't sign the updated checksum for this flavour for some reason - the other flavours seem just fine.

franksmcb · 9 April 2021 03:40

Thanks for pointing out this issue. Apologies that you experienced this, but there does not seem to be any issues with the ISO but it's concerning that this occurred.

I've created a report with the Ubuntu CD Image team to get the proper .gpg key posted. I'll update the forum posting as well as the GitHub issue you opened with details.

franksmcb · 9 April 2021 23:42

@xanderdin the .gpg key has been updated.

Thanks again for letting us know.

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Fri 09 Apr 2021 04:09:29 PM MDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) [email protected]"

xanderdin · 10 April 2021 08:46

Great! Thank you, too!

kaasknak · 11 April 2021 20:31

It seems I misunderstood you. The link I gave you gives a key and a download that matches the key. Luckily it seems the problem got resolved.