Ubuntu – BAD signature when trying to verify SHA256SUMS for Bionic Beaver ISO

checksumsgnupgisotor

I am attempting to verify my download of Bionic Beaver on Windows 7.

I feel like I am missing something very obvious.

I went to http://releases.ubuntu.com/bionic/ and clicked on both SHA256SUMS and SHA256SUMS.gpg

It seems like this does not download the files, but opens the text in the files in new tabs.

I used Ctrl-A and then copied the text into Notepad, naming the files SHA256SUMS and SHA256SUMS.gpg.

I made sure that windows didn't add any weird extensions when saving.

I manually downloaded both keys I used from https://keyserver.ubuntu.com, one with fingerprint

C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451

and the other with fingerprint

8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092

After I downloaded both keys I certified them with my personal key using Kleopatra, after verifying the key fingerprint with those at help.ubuntu.com.

When I ran

gpg --verify SHA256SUMS.gpg SHA256SUMS

I got

gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using DSA key 46181433FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.c
om>" [full]
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using RSA key D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@u
buntu.com>" [full]

When I ran

gpg --verbose --verify SHA256SUMS.gpg SHA256SUMS

I got

gpg: armor header: Version: GnuPG v1
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using DSA key 46181433FBB75451
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.c
om>" [full]
gpg: binary signature, digest algorithm SHA512, key algorithm dsa1024
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using RSA key D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@u
buntu.com>" [full]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

I tried copying the data from SHA256SUMS and SHA256SUMS.gpg tabs over TOR instead, in case it was a local network problem, but no dice either.

What am I missing here? Is there some way to download the SHA256SUMS and SHA256SUMS.gpg files directly, as opposed to copying the data into a text editor and saving it?

Any help would be very appreciated. I am very confused and frustrated at this point.

Best Answer

  • ostensibly_work over at reddit solved the problem.

    I did not realize that right clicking and selecting "Save Link as" downloads the file directly. With that, the gpg signature checks out.

    Thanks for the help everyone!

  • Related Question