As per: http://www.ubuntu.com/download/how-to-verify

Downloaded SHA256SUMS and SHA256SUMS.gpg
Got public keys from Ubuntu keyserver and added to keyring
Verified key fingerprints
But when tried to verify signature got the following:

$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 21 Apr 2016 11:40:38 BST using DSA key ID FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
gpg: Signature made Thu 21 Apr 2016 11:40:38 BST using RSA key ID EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"

Any ideas, please?

I would think everything is working as it should and you have a dodgy ISO. It is telling you 'BAD signature', not 'Good signature'.

From the link you posted:


If you get no results (or any result other than that shown above) you will need to check your download again.

In other words, if you don't get 'Good signature', you have an issue with the ISO.

It works for me. You should run the gpg --verify command in the directory, where you have the two files, that you are checking. If still problems, you should download the files again, maybe there was an error. If you copied and pasted them, there might be a difference at the end of the file. It worked for me, when I downloaded 'automatically' instead of 'copy and paste'.


$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092" "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
gpg: begär nyckeln EFE21092 från hkp-servern keyserver.ubuntu.com
gpg: begär nyckeln FBB75451 från hkp-servern keyserver.ubuntu.com
gpg: nyckel EFE21092: publika nyckeln "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" importerades
gpg: nyckel FBB75451: publika nyckeln "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" importerades
gpg: 3 marginal(er) behövs, 1 fullständig(a) behövs, tillitsmodell PGP
gpg: djup: 0 giltig: 3 signerad: 3 tillit: 0-, 0q, 0n, 0m, 0f, 3u
gpg: djup: 1 giltig: 3 signerad: 0 tillit: 0-, 0q, 0n, 0m, 3f, 0u
gpg: Totalt antal behandlade enheter: 2
gpg: importerade: 2 (RSA: 1)
$ gpg --list-keys --with-fingerprint 0xFBB75451 0xEFE21092pub 4096R/EFE21092 2012-05-11
Nyckelns fingeravtryck = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub 1024D/FBB75451 2004-12-30
Nyckelns fingeravtryck = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signatur gjordes tor 21 apr 2016 12:40:38 CEST med DSA nyckel-id FBB75451
gpg: Korrekt signatur från "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
gpg: VARNING: Denna nyckel är inte certifierad med en pålitlig signatur!
gpg: Det finns inget som indikerar att signaturen tillhör ägaren.
Primära nyckelns fingeravtryck: C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
gpg: Signatur gjordes tor 21 apr 2016 12:40:38 CEST med RSA nyckel-id EFE21092
gpg: Korrekt signatur från "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"
gpg: VARNING: Denna nyckel är inte certifierad med en pålitlig signatur!
gpg: Det finns inget som indikerar att signaturen tillhör ägaren.
Primära nyckelns fingeravtryck: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092

'Korrekt signatur' means 'Good signature'

Thanks but I've not got as far as checking the ISO yet - just verifying the signature

Thanks sudodus - you solved the problem.
Used wget to download files rather than cut and paste and they verified OK

Great news. Could you please mark the thread as solved using Thread Tools at the top right of this page or check the link in my signature at the bottom of the post.

Good luck and post a new thread if you have any questions about the install or hit a brickwall during it. ](*,)