0

How Do I Verify Ubuntu 22.04 ISO Download

I'm having issues installing Ubuntu 22.04 iso on an old PC. So I'm checking all the steps. step 1 was to verify the iso file and I followed the steps suggested at https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview The latter steps didn't seem to work. ie the command "gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS" produced the result: gpg: can't open signed data 'SHA256SUMS' gpg: can't hash datafile: No such file or directory

and also the command "sha256sum -c SHA256SUMS 2>&1 | grep OK" got no result. I interpreted this as a bad checksum so I downloaded the iso file again and followed the same procedure. But got the same result.

Think I'll just have to try the install again.

trevorb
  • 1

1 Answers1

1

Following through the instructions that you are following, at Step 3 or page https://ubuntu.com/tutorials/how-to-verify-ubuntu#3-download-checksums-and-signatures you will see

However, if you didn’t, not to worry - the checksums and the signature are consistent for the image, so even if you downloaded your ISO file from a different source, as long as it is fresh and hasn’t been updated in the interim, you can fetch these files from the http://releases.ubuntu.com page for the relevant release.

From there you can download the SHA256SUMS and SHA256SUMS.gpg files. I have also conveniently added them here for you:

wget http://releases.ubuntu.com/jammy/SHA256SUMS
wget http://releases.ubuntu.com/jammy/SHA256SUMS.gpg

Now when you run the command of gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS you will probably get something like the following with the missing key:

$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 10 Aug 2023 12:33:07 PM MDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key

To import your key it is the command from gpg but remember to add 0x to the beginning of the key since it is in hexadecimal format.

gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x843938DF228D22F7B3742BC0D94AA3F0EFE21092

Now your key check should pass:

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 10 Aug 2023 12:33:07 PM MDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]

Now when you run the sha256sum command it should verify if your downloaded ISO is OK or not:

$ sha256sum -c SHA256SUMS 2>&1 | grep OK
ubuntu-22.04.3-desktop-amd64.iso: OK
Terrance
  • 43,712