Bad signature for Ubuntu 10.04

NoOp glgxg at sbcglobal.net
Wed May 19 18:24:18 UTC 2010 

On 05/19/2010 10:35 AM, yukku yukkoooooo wrote:
> Hi NoOp, I guess I missed the links. Thanks for pointing out. But the
> links in the report are only for dvd isos, but I am facing this issue
> with the LiveCD version as well. The bug report 
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/574184 says only
> DVD ones are not good. But I think the LiveCD signature for
> ubuntu-10.04-desktop-i386.iso binary also has this problem in
> SHA1SUMS.gpg
> 
> I double checked the verification procedure I tried out for 10.04 on
> 9.10 version and I got good signatures. Kind of indicates that I did
> not do any mistake in followuing the page.

Ignoring your previous (incorrect) rant about sha256sums not being
available:

$ sha256sum ubuntu-10.04-desktop-i386.iso
d94cf3c884dc7b8960992acec61fcfa6b4a0566cc02ad19895aefc1971f201bf
ubuntu-10.04-desktop-i386.iso

http://releases.ubuntu.com/lucid/SHA256SUMS
d94cf3c884dc7b8960992acec61fcfa6b4a0566cc02ad19895aefc1971f201bf
*ubuntu-10.04-desktop-i386.iso

$ sha1sum ubuntu-10.04-desktop-i386.iso
d43587393603bd6fe111514579d8c821a27deb09  ubuntu-10.04-desktop-i386.iso

http://releases.ubuntu.com/lucid/SHA1SUMS
d43587393603bd6fe111514579d8c821a27deb09 *ubuntu-10.04-desktop-i386.iso

$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Sat 01 May 2010 12:59:44 PM PDT using DSA key ID
FBB75451
gpg: Can't check signature: public key not found

OK, let's add the key & try again:
$ gpg --keyserver keyserver.ubuntu.com --recv-keys FBB75451
gpg: requesting key FBB75451 from hkp server keyserver.ubuntu.com
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg --fingerprint FBB75451
pub   1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
uid                  Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>

gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Sat 01 May 2010 12:59:44 PM PDT using DSA key ID
FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Sat 01 May 2010 12:59:41 PM PDT using DSA key ID
FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451


If you reply, *please* keep it in *this* thread so folks (me) don't have
to go chasing your individual threads all over the list.

More information about the ubuntu-users mailing list