If you want to know more about signing keys and trust, you can check out the Ubuntu community GPG wiki page.
The warning message is simply there to let you know that you have not countersigned the key and it isn’t in your list of trusted sources. Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092Ī Good signature means that the checked file was definitely signed by the owner of the keyfile stated (if they didn’t match, the signature would be reported as BAD). Gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) "
Gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT Gpg: There is no indication that the signature belongs to the owner. Gpg: WARNING: This key is not certified with a trusted signature! Gpg: Good signature from "Ubuntu CD Image Automatic Signing Key " This time the command should return something like this: gpg: Signature made Fri 25 Mar 04:36:20 2016 GMT gpg -keyid-format long -verify SHA256SUMS.gpg SHA256SUMS Now you can verify the checksum file using the signature. Uid Ubuntu CD Image Automatic Signing Key (2012) Uid Ubuntu CD Image Automatic Signing Key …which should produce the following output: pub dsa1024/46181433FBB75451 You can now inspect the key fingerprints by running: gpg -keyid-format long -list-keys -with-fingerprint 0x46181433FBB75451 0xD94AA3F0EFE21092 Gpg: key D94AA3F0EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) " imported Gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported Gpg: /root/.gnupg/trustdb.gpg: trustdb created Gpg: requesting key D94AA3F0EFE21092 from hkp server You should see a message like this: gpg: requesting key 46181433FBB75451 from hkp server This command should retrieve the keys we want and add them to your keyring. Note that the ID numbers are hexadecimal, so we prefix them with 0x: gpg -keyid-format long -keyserver hkp:// -recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092 Knowing these ID numbers (46181433FBB75451 and D94AA3F0EFE21092 in the example), means we can request them from the Ubuntu key server. This is actually a really useful message, as it tells us which key or keys were used to generate the signature file. Gpg: Signature made Thu Apr 5 22:19:36 2018 EDT Gpg: Can't check signature: No public key If there is no public key for Ubuntu already present, you will get an error message similar to the following: gpg: Signature made Thu Apr 5 22:19:36 2018 EDT We use GnuPG’s “long” (64-bit) key IDs throughout this tutorial, since “short” (32-bit) key IDs are insecure. The easiest way to find out if you need the key is to run the authentication command: gpg -keyid-format long -verify SHA256SUMS.gpg SHA256SUMS Retrieve the correct signature keyĭepending on your platform, you may or may not need to download the public key used to authenticate the checksum file (Ubuntu and most variants come with the relevant keys pre-installed). Now we have the tools we need, we can move on to finding and downloading the files we need
md5sum -versionīoth these commands should output some version information. If this is the first time you have run gpg, this will create a trust database for the current user. You can check the commands work as expected by running the following: gpg -list-keys
All versions - check the commands are working! If you don’t have them, check with your package manager and search for the executable names given above. Your mileage may vary, but these are standard tools included and enabled by default in most systems.
UBUNTU DOWNLOAD ISO INSTALL
The sha256sum program and other useful utilities are provided by coreutils: brew install coreutils You can install the latest GnuPG using Homebrew: brew install gnupg
UBUNTU DOWNLOAD ISO WINDOWS 10
If you are using bash on Windows 10 (why on earth not? See this tutorial), these tools are part of the default install. These are part of the coreutils and gnupg packages, which are installed by default. The key executables you will require are sha256sum, md5sum and gpg.