Unable to verify 20.04.03 download
I am trying to follow this guide here: https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview I have downloaded the ISO file and I have the following files in my Downloads directory: SHA256SUMS SHA256SUMS.gpg ubuntu-20.04.3-desktop-amd64.iso
I am attempting the download/verify on a new installation of Ubuntu 21.10.
A user here: Cannot verify my download ver20.04.01 had a similar problem but the explanation does not help me.
In my case, typing: gpg --list-keys gives no output. The guide says, "If this is the first time you have run gpg, this will create a trust database for the current user." I don't know if this happened or not, and the guide does not say how to check that the trust database has been created. Unfortunately, it does not say what form it should take, nor where it should be.
md5sum --version gives: md5sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Written by Ulrich Drepper, Scott Miller and David Madore.
Typing: sha256sum --version gives: sha256sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Written by Ulrich Drepper, Scott Miller and David Madore.
For step 4 of the guide, typing: gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS gives the following output: gpg: Signature made jue 26 ago 2021 11:52:49 CEST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Can't check signature: No public key
I can see I am missing a Public key but I can't see anything in the instructions that tells me how to get it.
Why on earth is it such a long, drawn out and complicated method to verify? What happened to checking the SHA256 or MD5 sums from the command line? I have been absent from the Ubuntu world for a while and I had no idea it had become so difficult to verify a DVD. Any help (or just the MD5 or SHA256 sum) would be greatly appreciated.
Solution 1:
The documentation may need a little bit of an update. Here is what I did to verify the most recent 20.04.3 LTS ISO on my 21.10 installation:
-
Open a Terminal (naturally)
-
List any keys that might already exist for
gpg
just to ensure the tool is properly installed:gpg --list-keys
Just as for you, this returned zero results.
-
Download the appropriate
SHA256SUM.gpg
andSHA256SUM
files from the Ubuntu Releases page -
Test them:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
This will give you an output similar to this:
gpg: Signature made 2021年08月26日 18時52分49秒 JST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Can't check signature: No public key
-
Get the public key:
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092
This process may take a couple of seconds, but will eventually output something like this:
gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" imported gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported gpg: Total number processed: 2 gpg: imported: 2
-
Now you can run the check:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made 2021年08月26日 18時52分49秒 JST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
Although there is a
WARNING: This key is not certified with a trusted signature!
message, theGood signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>"
shows that the sums match. -
(Optional) Check your
gpg
imported keys:gpg --list-keys
Now that you have imported two, the output should look something like:
/home/jason/.gnupg/pubring.kbx ------------------------------ pub rsa4096 2012-05-11 [SC] 843938DF228D22F7B3742BC0D94AA3F0EFE21092 uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]> pub dsa1024 2004-12-30 [SC] C5986B4F1257FFA86632CBA746181433FBB75451 uid [ unknown] Ubuntu CD Image Automatic Signing Key <[email protected]>
Hopefully this will give you what you need.
Q. Where did you get the numbers to supply in the command in step 4? (after recv-keys)
⇢ The numbers are on this page. The code block scrolls to the right: