Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BAD signature for ubuntu iso download


  • Please log in to reply
2 replies to this topic

#1 Achaemenid

Achaemenid

  • Members
  • 434 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 29 November 2017 - 01:08 PM

The checksums match but I am getting "bad signature" when tryint to verify the gpg

 

The version of ubuntu is 16.04.3, the latest stable version and the one with longest support duration. Version 17 has less support.

 

I had a little problem getting the txt file names so the terminal could open them at first.

 

here is the printout from the terminal:

 

1384ac8f2c2a6479ba2a9cbe90a585618834560c477a699a4a7ebe7b5345ddc1 *ubuntu-16.04.3-desktop-amd64.iso

from terminal check
1384ac8f2c2a6479ba2a9cbe90a585618834560c477a699a4a7ebe7b5345ddc1

sha256sums match

1384ac8f2c2a6479ba2a9cbe90a585618834560c477a699a4a7ebe7b5345ddc1 *ubuntu-16.04.3-desktop-amd64.iso


serapis@osireiron ~/Desktop/UBUNTU $ gpg --recv-key A25BAE09
gpg: requesting key A25BAE09 from hkp server keys.gnupg.net
gpg: key A25BAE09: "Linux Mint ISO Signing Key <root@linuxmint.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
serapis@osireiron ~/Desktop/UBUNTU $ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: can't open `SHA256SUMS.gpg'
gpg: verify signatures failed: file open error
serapis@osireiron ~/Desktop/UBUNTU $ /home/serapis/Desktop/UBUNTU/SHA256SUMS.txt.gpg
bash: /home/serapis/Desktop/UBUNTU/SHA256SUMS.txt.gpg: Permission denied
serapis@osireiron ~/Desktop/UBUNTU $ sudo gpg --verify gpg --recv-key A25BAE09
[sudo] password for serapis:
gpg: WARNING: unsafe ownership on configuration file `/home/serapis/.gnupg/gpg.conf'
gpg: can't open `gpg'
gpg: verify signatures failed: file open error
serapis@osireiron ~/Desktop/UBUNTU $ gpg --verify SHA256SUM.txt.gpg SHA256SUM.txt
gpg: Signature made Thu 03 Aug 2017 08:56:51 PM +07 using DSA key ID FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
gpg: Signature made Thu 03 Aug 2017 08:56:51 PM +07 using RSA key ID EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"

serapis@osireiron ~/Desktop/UBUNTU $ gpg --recv-key FBB75451
gpg: requesting key FBB75451 from hkp server keys.gnupg.net
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
serapis@osireiron ~/Desktop/UBUNTU $ gpg --recv-key EFE21092
gpg: requesting key EFE21092 from hkp server keys.gnupg.net
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
serapis@osireiron ~/Desktop/UBUNTU $

 

I would appreciate knowing why the ubuntu download is getting a bad signature if the checksums match and whether this is important.

 

There appear to be two keys!!

 

Should I download a previous version?

 

Or go ahead and install this?

 

Any help appreciated.

 

EDIT:

 

We can get "Bad Signature" if the iso file changed while I had it. Which could suggest someone hacked into my machine through the internet after I downloaded it and changed it, like putting in a backdoor.

 

I got that from this video:


 


Edited by Achaemenid, 29 November 2017 - 01:57 PM.


BC AdBot (Login to Remove)

 


#2 pcpunk

pcpunk

  • Members
  • 6,259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:59 AM

Posted 01 December 2017 - 12:13 PM

I don't use gpg, only sha256sums at this time.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#3 Achaemenid

Achaemenid
  • Topic Starter

  • Members
  • 434 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 08 December 2017 - 09:42 AM

I had to go ahead and install this version anyway because I needed to replace my HDD, and I did not have another version burned nor did I want to reinstall my old Linux Mint 17.2 disk.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users