1

where can I find PGP signatures and signing keys for Ubuntu? I want to verify the download, but the only thing I can find are the MD5 hashes (https://help.ubuntu.com/community/UbuntuHashes).

I can't imagine that Ubuntu doesn't offer a way to check the integrity of an ISO image.

dessert
  • 39,982
user295031
  • 53
  • 1
  • 5

2 Answers2

1

There are MD5, SHA and SHA256 SUMS, gpg files, and ISO images here http://releases.ubuntu.com/14.04/

exore
  • 997
  • 6
  • 10
  • Thanks. Am I supposed to use the .pgp file to verify the ISO or the Checksum data? Not sure right now. How exactly do I use the MD5SUMS.gpg/SHA1.gpg to verify the image/Checksums? I tried to create a text file and save it as a .sig, but when I verify it using GPG4Win it says "Invalid signature".

    Also, where do I find the signing key?

     – user295031 Jun 19 '14 at 17:39
  • See the link I gave you , this is a duplicate question. – Panther Jun 19 '14 at 17:47
  • I don't think this is a solution for me as I am using GPG4Win on Windows 7. – user295031 Jun 19 '14 at 17:49
  • Hum, it seems you have to learn how to use your software... Once done get the key id out of the .gpg file (should be FBB75451), then get this key from keyserver.ubuntu.com, check the SHA256SUM file you have is unaltered with your gpg software, then use that sum to check the iso. – exore Jun 19 '14 at 18:05
  • First time I'm having major problems using GPG4Win. Verifying e.g. Tails wasn't a problem at all, because they offered a PGP signature and the signing key on their website.

    Could you explain, what exactly is inside this specific PGP encrypted signature and what signatures contain in general? Do they contain encrypted hashes that - together with the signing key - are used to check if the encrypted signature's and the ISO's hashes match? This would at least make sense to me.

     – user295031 Jun 19 '14 at 21:04
  • I don't even know how to get the key ID out of the GPG file because I don't know how to encrypt it (only get an error message).

    Please don't get me wrong: I'm just having problems checking the signature against the hashes text file. If you could tell me, how to accomplish this, step by step, I would be really glad.

     – user295031 Jun 19 '14 at 21:10
0

I finally solved what was causing these problems:

After I figured out I had to save the SHA256SUMS as a file/text file and the .GPG as a .GPG/.SIG file, GPG4Win gave out an error message when trying to verify the GPG signature, saying that the signature was invalid. This problem is caused by missing line breaks when copying the SHA256SUMS into the editor and save it as a text file (only visible when the editor window is maximized). When I save the SHA256SUMS web site (http://releases.ubuntu.com/trusty/SHA256SUMS) as a file/text file, the line breaks stay in the correct format. When verifying the text file and the signature, I finally get the green message saying that the signature is valid.

Thank you for your help.

user295031
  • 53
  • 1
  • 5