2

I am attempting to verify my download of Bionic Beaver on Windows 7.

I feel like I am missing something very obvious.

I went to http://releases.ubuntu.com/bionic/ and clicked on both SHA256SUMS and SHA256SUMS.gpg

It seems like this does not download the files, but opens the text in the files in new tabs.

I used Ctrl-A and then copied the text into Notepad, naming the files SHA256SUMS and SHA256SUMS.gpg.

I made sure that windows didn't add any weird extensions when saving.

I manually downloaded both keys I used from https://keyserver.ubuntu.com, one with fingerprint

C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451

and the other with fingerprint

8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092

After I downloaded both keys I certified them with my personal key using Kleopatra, after verifying the key fingerprint with those at help.ubuntu.com.

When I ran 

gpg --verify SHA256SUMS.gpg SHA256SUMS

I got 

gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using DSA key 46181433FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.c
om>" [full]
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using RSA key D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@u
buntu.com>" [full]

When I ran 

gpg --verbose --verify SHA256SUMS.gpg SHA256SUMS

I got

gpg: armor header: Version: GnuPG v1
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using DSA key 46181433FBB75451
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.c
om>" [full]
gpg: binary signature, digest algorithm SHA512, key algorithm dsa1024
gpg: Signature made 11/29/18 16:27:43 US Mountain Standard Time
gpg:                using RSA key D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@u
buntu.com>" [full]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

I tried copying the data from SHA256SUMS and SHA256SUMS.gpg tabs over TOR instead, in case it was a local network problem, but no dice either.

What am I missing here? Is there some way to download the SHA256SUMS and SHA256SUMS.gpg files directly, as opposed to copying the data into a text editor and saving it?

Any help would be very appreciated. I am very confused and frustrated at this point.

unutbu
  • 1,082
ConfusedTortoise
  • 41

3 Answers3

2

ostensibly_work over at reddit solved the problem.

I did not realize that right clicking and selecting "Save Link as" downloads the file directly. With that, the gpg signature checks out.

Thanks for the help everyone!

unutbu
  • 1,082
ConfusedTortoise
  • 41
2

You mention your worry for having passed the downloaded text of SHA256SUMS through Windows' notepad, and you're absolutely right to be worried about it.

While this doesn't appear to have altered any of the text, it does alter it, by changing the end-of-line marker, from the default Unix/Linux style of just LF (\n) to CR+LF (\r\n), the default end-of-line in DOS/Windows style.

I'd bet that, if you try it again, this time downloading the SHA256SUMS file directly to disk, instead of copying and pasting it into notepad, the signature would then match. Doing the same to SHA256SUMS.gpg wouldn't hurt, either, but is probably not required, in order for the signature to check out ok.

To do so, you'd just need to right-click the link to the files, and choose to save them to disk. Another way of doing it would be to, after opening the files in the browser window, choosing the Save command in your browser.

Marcelo A F Gomes
  • 21
0

The key D94AA3F0EFE21092 is correct and is working (although it is not certified)

The key 46181433FBB75451 is not valid, as the document you mention from help.ubuntu.com says, it is deprecated.

Download the files from the browser or use some utility.

The keys in linux work!

Carlos Dagorret
  • 636