Verify ISO files

1. Verify the checksum file using the signature
2. If you don’t have the public key
3. Public key verified message similar to the one below
4. Inspect the fingerprint
5. Check the ISO
6. Another method
7. Related nodes
8. References

1. Verify the checksum file using the signature

The ISO, checksum and signature file must be in the same directory

gpg --keyid-format long --verify SHA256SUMS.sign

2. If you don’t have the public key

The error message tells us which key were used to generate the signature file, knowning the KeyID number we can request them from the key server with a command similar to these below

gpg --keyid-format long --keyserver keyring.debian.org --recv 0xKeyID
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xKeyID
gpg --keyserver hkps://keys.gentoo.org --recv-keys 0xKeyID

3. Public key verified message similar to the one below

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

4. Inspect the fingerprint

gpg --keyid-format long --list-keys --with-fingerprint 0xKeyID

5. Check the ISO

sha256sum --check SHA256SUMS 2>&1 | grep OK

If it returns OK then you’re good!

6. Another method

https://ubuntu.com/download/server

echo "5e38b55d57d94ff029719342357325ed3bda38fa80054f9330dc789cd2d43931 *ubuntu-22.04.2-live-server-amd64.iso" | sha256sum --check

7. Related nodes

gpg.html