3

About 16 hours ago I downloaded the Ubuntu 18.04.5 image from releases.ubuntu.com alongside its checksum file and GnuPG signature. Verifying the checksum file using the signature results in a BAD signature warning. Why is that happening and should I be worried?

What exactly does a BAD signature mean? What is the next logical step?

gpg: Signature made Thu 13 Aug 2020 08:02:20 PM +05 
gpg:              using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012)
<cdimage@ubuntu.com>" [unknown]
Akbarkhon Variskhanov
  • 301

2 Answers2

0

The signature is bad, you can't do anything about it. It is Canonical's problem and it looks like they don't care. There was a post on reddit about it, but no reaction.

In the meantime the signature is good here but it only contains server ISOs.

Never use signed software with a bad signature, it could have been tampered with.

Robert Longson
  • 747
Zonmi
  • 29
0

Probably what is more important is to know why one can usually get this verification result. The message like :gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012)

one usually can get in case if the signing secret key was missing at the time the dvd dist "Release" file like in : dvd-image/dists/jammy/main/binary-amd64/Release was gpg signed.

Possibly a misstyped parameter with the path to the dvd-signing secret key, given on a commandline to a script thet was upgrading the dvd-image pool and then resigning the release files.

Note: Provided information is based on my research and personal experiance creating my own d-i based installer based dvd for ubuntu - jammy.

satyr0909
  • 11
  • 1