I downloaded ubuntu-mate-20.04.2.0-desktop-amd64.iso and wanted to verify its checksum. So, I downloaded both SHA256SUMS.gpg and SHA256SUMS files. I have already "Ubuntu CD Image Automatic Signing Key (2012) [email protected]" on my key ring. But when running
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
I got the following result:
gpg: Signature made Thu Feb 11 22:01:40 2021 MSK gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
And the files at https://cdimage.ubuntu.com/ubuntu-mate/releases/20.04/release/ look like this (note the date):
Something definitely wrong is here.