Join Log in
Score:0
avatar Ubuntu

Unable to verify 20.04.03 download

cn flag
Scooby-2

I am trying to follow this guide here: https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview I have downloaded the ISO file and I have the following files in my Downloads directory: SHA256SUMS SHA256SUMS.gpg ubuntu-20.04.3-desktop-amd64.iso

I am attempting the download/verify on a new installation of Ubuntu 21.10.

A user here: Cannot verify my download ver20.04.01 had a similar problem but the explanation does not help me.

In my case, typing: gpg --list-keys gives no output. The guide says, "If this is the first time you have run gpg, this will create a trust database for the current user." I don't know if this happened or not, and the guide does not say how to check that the trust database has been created. Unfortunately, it does not say what form it should take, nor where it should be.

md5sum --version gives: md5sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller and David Madore.

Typing: sha256sum --version gives: sha256sum (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller and David Madore.

For step 4 of the guide, typing: gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS gives the following output: gpg: Signature made jue 26 ago 2021 11:52:49 CEST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Can't check signature: No public key

I can see I am missing a Public key but I can't see anything in the instructions that tells me how to get it.

Why on earth is it such a long, drawn out and complicated method to verify? What happened to checking the SHA256 or MD5 sums from the command line? I have been absent from the Ubuntu world for a while and I had no idea it had become so difficult to verify a DVD. Any help (or just the MD5 or SHA256 sum) would be greatly appreciated.

145
0 + 0
cn flag
Scooby-2
PS I have to admit that I did not bother to verify the download of 21.10 that I am currently running, it is only temporary.
0
Reply
cn flag
Scooby-2
If I run sha256sum ubuntu-20.04.3-desktop-amd64.iso it gives a different checksum to that given in the SHA256SUMS file. However, I have downloaded the ISO twice and both of these files give the same checksum.
0
Reply
Score:2
avatar Ubuntu
in flag
matigo

The documentation may need a little bit of an update. Here is what I did to verify the most recent 20.04.3 LTS ISO on my 21.10 installation:

  1. Open a Terminal (naturally)

  2. List any keys that might already exist for gpg just to ensure the tool is properly installed:

    gpg --list-keys

    Just as for you, this returned zero results.

  3. Download the appropriate SHA256SUM.gpg and SHA256SUM files from the Ubuntu Releases page

  4. Test them:

    gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

    This will give you an output similar to this:

    gpg: Signature made 2021年08月26日 18時52分49秒 JST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key

  5. Get the public key:

    gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092

    This process may take a couple of seconds, but will eventually output something like this:

    gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" imported
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported
gpg: Total number processed: 2
gpg:               imported: 2

  6. Now you can run the check:

    gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made 2021年08月26日 18時52分49秒 JST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

    Although there is a WARNING: This key is not certified with a trusted signature! message, the Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" shows that the sums match.

  7. (Optional) Check your gpg imported keys:

    gpg --list-keys

    Now that you have imported two, the output should look something like:

    /home/jason/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

pub   dsa1024 2004-12-30 [SC]
   C5986B4F1257FFA86632CBA746181433FBB75451
uid           [ unknown] Ubuntu CD Image Automatic Signing Key <[email protected]>

Hopefully this will give you what you need.

Q. Where did you get the numbers to supply in the command in step 4? (after recv-keys)

⇢ The numbers are on this page. The code block scrolls to the right:

Scroll to the Right

0 + 0
Organic Marble avatar
us flag
Organic Marble
Where did you get the numbers to supply in the command in step 4? (after recv-keys)
0
Reply
in flag
matigo
@OrganicMarble ⇢ updated answer to show source
1
Reply
Organic Marble avatar
us flag
Organic Marble
Thanks for the additional info!
0
Reply
cn flag
Scooby-2
Thank you both for your quick and helpful advice. Here's what happens if I follow the steps (on a different machine, running Mint 20.1, which is installed in Spanish). There is insufficient space to respond here, so I have put a text file on Google Drive. It is here: https://drive.google.com/file/d/1SndfljIxfh_t3PaaJVpxzxLiZX3DGhm2/view?usp=sharing The process still fails, but I believe that the downloaded image is good (see my final comment in the text document).
0
Reply
cn flag
Scooby-2
In answer to, "Q. Where did you get the numbers to supply in the command in step 4? (after recv-keys)" I got these from the output of the previously run command. The instructions do not state that you must explicitly state the keys quoted, I assumed that I must use the data presented. I could see that the latter part of the key matched what is in the instructions (the D94AA3F0EFE21092 part). So I substitued those into the command, preceding each with 0x.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.