About 16 hours ago I downloaded the Ubuntu 18.04.5 image from releases.ubuntu.com alongside its checksum file and GnuPG signature. Verifying the checksum file using the signature results in a BAD signature warning. Why is that happening and should I be worried?
What exactly does a BAD signature mean? What is the next logical step?
gpg: Signature made Thu 13 Aug 2020 08:02:20 PM +05
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012)
<>" [unknown]1 Answer
The signature is bad, you can't do anything about it. It is canonical's problem and looks like noone gives a heck. There was a post on reddit about it, no reaction.
In the meanwhile signature is good here but it only contains server isos.
You next logical step is never using signed software with bad signature. It could be tampered.
5
