verifiying ubuntu iso with repository gpg-keys

security repository iso

Solution 1:

The following steps allow you to verify the SHA256SUMS file for the downloaded Ubuntu iso:

  1. Open Terminal (CTRL+ALT+T)

  2. Import the keys from /usr/share/keyrings/ubuntu-archive-keyring.gpg via gpg --import /usr/share/keyrings/ubuntu-archive-keyring.gpg. You should see something like this:

    gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: key 437D05B5: public key "Ubuntu Archive Automatic Signing Key " imported
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported
gpg: Total number processed: 2
gpg:               imported: 2
gpg: no ultimately trusted keys found

    The line 

    gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported

    shows you that you imported the GPG key for signing CD images (iso files) is the one with the following fingerprint:

    Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

    and hence the ID FBB7 5451

  3. Having imported the key you can then download the files SHA256SUMS, MD5SUMS, SHA1SUMS and their respective signatures *SHA256SUMS.gpg, MD5SUMS.gpg

  4. Now you can use this command gpg --verify SHA256SUMS.gpg SHA256SUMS to check if the file SHA256SUMS is legitimate. If so then you should see something like this:

    gpg: Signature made Thu 14 Feb 2013 06:38:41 PM CET using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

    If the SHA256SUMS file has been altered then something like this will appear instead:

    gpg: Signature made Thu 14 Feb 2013 06:38:41 PM CET using DSA key ID FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key "

Basically, instead of following step 2 in the howto referred to in the question and getting the key from the keyserver, which may have been compromised, you use the key provided with your existing Ubuntu installation that you trust.

Related

How do I make Panel always transparent like the Dock in GNOME 3?
Singular to plural noun [duplicate]
Is the formation "[s]he" overly distracting?
Henry Adams’s use of punctuation, “:—” [duplicate]
A word that means that when two elements are mixed they become stronger
What's a word for lack of confidence?
Answering your own question
Why does "under the sea" mean "in the sea"?
The use of the definite article "The"
Why do we talk of 'spoiling for a fight'?
"Love me tender": adverb or adjective?
How did the prepositions up and down both come to be associated with writing?