Ubuntu CD Images

Bad GPG signature of http://releases.ubuntu.com/bionic/SHA256SUMS

Bug #1891879 reported by Marius Gedminas on 2020-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu CD Images	Fix Released	Undecided	Unassigned

Bug Description

http://releases.ubuntu.com/bionic/ currently has a SHA256SUMS.gpg with a timestamp older than SHA256SUMS itself (2020-08-13 15:02 vs 2020-08-13 15:39), and the signature itself doesn't match:

$ wget http://releases.ubuntu.com/bionic/SHA256SUMS{,.gpg}
$ gpgv --keyring=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
gpgv: Signature made Thu Aug 13 18:02:20 2020 EEST
gpgv: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpgv: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>"

Should I be worried about the integrity of the ubuntu-18.04.5-live-server-amd64.iso image I've just downloaded?

Revision history for this message

Iain Lane (laney) wrote on 2020-08-17:

Thanks. I don't know how that came to be wrong (AFAICT it was asserting the contents of a previous version of SHA256SUMS), but I re-generated it now and it's good.

Changed in ubuntu-cdimage:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.