I'm attempting to follow the official How to verify your Ubuntu download tutorial to verify the checksum provided with the 20.04 minimal cloud image from here.
I'm getting an error from the first command:
$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: not a detached signatureI don't think the checksum is being verified because of the error and I'm not having any luck finding a solution elsewhere. I have deleted and re-downloaded the files a couple of times, so it's not an issue with that.
Has anyone seen this before? Am I missing something?
21 Answer
For some reason Ubuntu Minimal SHA256SUMS are not signed using the --detach-sign (or -b) command, which would create the expected detached signature. Instead they are signed using the --sign (or -s) command, creating a self-contained signed document.
You can both check the signature and recover the signed document by using the --decrypt command (counterintuitive, I know).
$ gpg --decrypt SHA256SUMS.gpg
c3f4cd7464340015b2977da9fb96028263eb62dbf96b048984034d11791beb4c ubuntu-20.04-minimal-cloudimg-amd64.img
73b2c5abc077b8778ce2e17511b606a2d076dc01047c54add62ee76e8c5df710 ubuntu-20.04-minimal-cloudimg-amd64-lxd.tar.xz
e61af8d1932f683a90a5e6247af92c94a0b45a2e78c6c769320e2b12ffc10f46 ubuntu-20.04-minimal-cloudimg-amd64.manifest
46f64b066e8f3db24fcf72376ff91e8ac0e5c29e4bde61c42a4ebc2ecb1fef55 ubuntu-20.04-minimal-cloudimg-amd64-root.manifest
35a78bf1dd2438e95c0b7d3b0a0206e4c15289459588be42f9a271c5503ee4eb ubuntu-20.04-minimal-cloudimg-amd64-root.tar.xz
ebd14a7963b884df3878e4ab0e6523d132fd332dbdb835d7d03f915d2961135b ubuntu-20.04-minimal-cloudimg-amd64.squashfs
46f64b066e8f3db24fcf72376ff91e8ac0e5c29e4bde61c42a4ebc2ecb1fef55 ubuntu-20.04-minimal-cloudimg-amd64.squashfs.manifest
gpg: Signature made Thu 25 Mar 2021 12:06:00 PM PDT
gpg: using RSA key 7FF3F408476CF100
gpg: Good signature from "Ubuntu Cloud Image Builder (Canonical Internal Cloud Image Builder) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4A3C E3CD 565D 7EB5 C810 E2B9 7FF3 F408 476C F100If you want it to output the signed document, use the --output FILENAME option.
