Unable to verify 20.04.03 download

gnupg 20.04 md5sum sha256 sha256sum

I am trying to follow this guide here: https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview I have downloaded the ISO file and I have the following files in my Downloads directory: SHA256SUMS SHA256SUMS.gpg ubuntu-20.04.3-desktop-amd64.iso

I am attempting the download/verify on a new installation of Ubuntu 21.10.

A user here: Cannot verify my download ver20.04.01 had a similar problem but the explanation does not help me.

In my case, typing: gpg --list-keys gives no output. The guide says, "If this is the first time you have run gpg, this will create a trust database for the current user." I don't know if this happened or not, and the guide does not say how to check that the trust database has been created. Unfortunately, it does not say what form it should take, nor where it should be.

md5sum --version gives: md5sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller and David Madore.

Typing: sha256sum --version gives: sha256sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller and David Madore.

For step 4 of the guide, typing: gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS gives the following output: gpg: Signature made jue 26 ago 2021 11:52:49 CEST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Can't check signature: No public key

I can see I am missing a Public key but I can't see anything in the instructions that tells me how to get it.

Why on earth is it such a long, drawn out and complicated method to verify? What happened to checking the SHA256 or MD5 sums from the command line? I have been absent from the Ubuntu world for a while and I had no idea it had become so difficult to verify a DVD. Any help (or just the MD5 or SHA256 sum) would be greatly appreciated.


Solution 1:

The documentation may need a little bit of an update. Here is what I did to verify the most recent 20.04.3 LTS ISO on my 21.10 installation:

  1. Open a Terminal (naturally)

  2. List any keys that might already exist for gpg just to ensure the tool is properly installed:

    gpg --list-keys

    Just as for you, this returned zero results.

  3. Download the appropriate SHA256SUM.gpg and SHA256SUM files from the Ubuntu Releases page

  4. Test them:

    gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

    This will give you an output similar to this:

    gpg: Signature made 2021年08月26日 18時52分49秒 JST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key

  5. Get the public key:

    gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092

    This process may take a couple of seconds, but will eventually output something like this:

    gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" imported
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported
gpg: Total number processed: 2
gpg:               imported: 2

  6. Now you can run the check:

    gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made 2021年08月26日 18時52分49秒 JST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

    Although there is a WARNING: This key is not certified with a trusted signature! message, the Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" shows that the sums match.

  7. (Optional) Check your gpg imported keys:

    gpg --list-keys

    Now that you have imported two, the output should look something like:

    /home/jason/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

pub   dsa1024 2004-12-30 [SC]
   C5986B4F1257FFA86632CBA746181433FBB75451
uid           [ unknown] Ubuntu CD Image Automatic Signing Key <[email protected]>

Hopefully this will give you what you need.

Q. Where did you get the numbers to supply in the command in step 4? (after recv-keys)

⇢ The numbers are on this page. The code block scrolls to the right:

Scroll to the Right

Related

WD (Sandisk) NVMe M.2 stick not quite working
uninstall init.d update-rc.d remove
Why does an Ubuntu Server have graphical.target as the default systemd target?
Which display manager should I use? LightDM or GDM? [duplicate]
Ubuntu iMessage Client
How do I disable "An update for GNOME Shell extensions" notifications?
How do I mount a qcow2 disk image?
How can I remove Empathy, and integrate Pidgin?
"Limbo" game has no sound
Would Android apps be able to run in Ubuntu touch natively?
Not enough disk space '/' in AWS instance
What are some audio/video converters for Linux? [closed]