Help me understand gpg outcome

kohler49

4/3/24, 10:55 AM

I am following https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview. to download an Ubuntu ISO file. I run gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS and get the following outcome

gpg: Signature made Thu Feb 23 19:06:28 2023 CET
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092

How do I interpret above? Is the ISO file clean and to be trusted?

I run the code under Microsoft WSL2.

The ISO file is http://releases.ubuntu.com/jammy/ ubuntu-22.04.2-desktop-amd64.iso

0 + 9

gnupg

David

4/3/24, 11:09 AM

What is the full name of the ISO you are trying to verify?

sudodus

4/3/24, 11:37 AM

The file `SHA256SUMS` is verified (that it is created and signed by Ubuntu). Then run `sha256sum -c SHA256SUMS` in the directory when you have the iso file (that should be listed in `SHA256SUMS`, and you should be able to rely on its result (`OK` for that iso file, if the download was successful).

sudodus

4/3/24, 11:48 AM

The following explanation (for a tool that I maintain) adds some details to understand the role of `gpg`: https://help.ubuntu.com/community/mkusb/gui/tarball#md5sums

waltinator

4/3/24, 2:03 PM

Telling us which remote procedure (RP) you "followed" doesn't help us help you for N reasons: 1) It's remote. Will the link exist tomorrow? 2) Reading the RP doesn't tell us how accurately you "followed" it. Did you suffer typos or missed lines? We have. 3) Reading the RP omits the error messages **you** got on **your system**. These error messages (and the commands that caused them) are key elements in any diagnosis.

kohler49

4/3/24, 6:52 PM

The ISO file is http://releases.ubuntu.com/jammy/ ubuntu-22.04.2-desktop-amd64.iso

kohler49

4/3/24, 7:00 PM

the sha256sum -c SHA256SUMS will that compute the SHA256 value of the ISO file and compare the result with what is in the SHA256SUMS file?

sudodus

4/4/24, 8:14 AM

@kohler49, Yes. You can also check with your eyes by comparing the content of `SHA256SUMS` with the result of the command line `sha256sum ubuntu-22.04.2-desktop-amd64.iso`. (They should match for that particular iso file.)

kohler49

4/7/24, 8:10 AM

thanks for your efforts. I have turned around and trying to do this verification with Python. The basic is the same but it seems like the AI ( ChatGPT4 and Bing ) support is 'richer' on Python than Linux... However , the problem boils down to same. Finding the signged file/private key of Ubuntu 22.04.2. As I can believe that ISO verification is have a generat interest I wonder shall I make a new Question and take this subject from there. It might be a bit clearer for others then. Whats your opinion

sudodus

4/7/24, 8:43 AM

@kohler49, I think it is a good idea to ask another question (and make it different enough from this question, otherwise it will be closed 'as a duplicate'). - By the way, was the link [help.ubuntu.com/community/mkusb/gui/tarball#md5sums](https://help.ubuntu.com/community/mkusb/gui/tarball#md5sums) useful for you, or should it be improved? - Anyway, please put a link to your new question here.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Help me understand gpg outcome

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.