Download verification keeps coming back as bad

robbygee · December 30, 2025, 7:36pm

Ubuntu Support Template

Ubuntu Version:
24.04.3

Problem Description:
Hello,

Every time I try to verify my download, it comes back as bad. I’m doing my best to follow the guide, but I just can’t get it to work. I tried it first on Windows 10, and these last few attempts have been on a fresh Ubuntu install of 24.04.3

this is the checksum I’ve been using:

faabcf33ae53976d2b8207a001ff32f4e5daae013505ac7188c9ea63988f8328

Example:

g@Junebug:~$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: can't open 'SHA256SUMS.gpg': No such file or directory
gpg: verify signatures failed: No such file or directory
g@Junebug:~$ cd Downloads
g@Junebug:~/Downloads$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 03:34:34 AM PDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
g@Junebug:~/Downloads$ gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: key D94AA3F0EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
g@Junebug:~/Downloads$ gpg --keyid-format long --list-keys --with-fingerprint 843938DF228D22F7B3742BC0D94AA3F0EFE21092
pub   rsa4096/D94AA3F0EFE21092 2012-05-11 [SC]
      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid                 [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

g@Junebug:~/Downloads$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 03:34:34 AM PDT
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
g@Junebug:~/Downloads$

hdd-gehrke · December 30, 2025, 9:35pm

From where did you download the SHA256SUMS and SHA256SUMS.gpg ? I just now downloaded them from releases.ubuntu.com and got

❯ LANG=C gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Do 07 Aug 2025 12:34:34 CEST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

So either one or both of your files is not what it should be.

The easiest way to get a correct ISO is to download through bit torrent. Torrents are checksummed on multiple levels (per block,per part, per file). It’s astronomically unlikely for a file to be wrong and get through all the checksumming that’s part of a torrent.

robbygee · December 30, 2025, 9:57pm

Everything I’ve downloaded, including SHA256SUMS, SHA256SUMS.gpg, and the iso, have come from:

https://releases.ubuntu.com/noble/

My guess is that I’m saving SHA256SUMS wrong. When click the link for the SHA256SUMS file, this is what I see:

d7fe3d6a0419667d2f8eff12796996328daa2d4f90cd9f87aa9371b362f987bf *ubuntu-24.04.2-desktop-amd64.iso
d6dab0c3a657988501b4bd76f1297c053df710e06e0c3aece60dead24f270b4d *ubuntu-24.04.2-live-server-amd64.iso
5d1eea52103166f1c460dc012ed325c6eb31d2ce16ef6a00ffdfda8e99e12f43 *ubuntu-24.04.2-wsl-amd64.wsl
faabcf33ae53976d2b8207a001ff32f4e5daae013505ac7188c9ea63988f8328 *ubuntu-24.04.3-desktop-amd64.iso
c3514bf0056180d09376462a7a1b4f213c1d6e8ea67fae5c25099c6fd3d8274b *ubuntu-24.04.3-live-server-amd64.iso
c74833a55e525b1e99e1541509c566bb3e32bdb53bf27ea3347174364a57f47c *ubuntu-24.04.3-wsl-amd64.wsl

I downloaded the 24.04.3 iso, and so what I did was copy

faabcf33ae53976d2b8207a001ff32f4e5daae013505ac7188c9ea63988f8328

into a text file and save it as SHA256SUMS.txt. Is that what I’m supposed to do?

Thanks for your help

hdd-gehrke · December 31, 2025, 12:50am

I simply right click the SHA256SUMS file on the page and then select ‘Save as’. That’s necessary because it’s a simple text file and browsers default to showing those – and that’s not quite what you want. That file contains all the checksums for all the ISO files along with the names. When you run sha256sums -c SHA256SUMS it reads the names and sums from the files and tries to verify all of them. You’d get several errors along the lines of ‘file not found’ and for the ones you actually downloaded you either get a OK or different error.
There’s a page here that gives step by step instructions.
The fourth step (the whole get the key and run gpg thing) checks the SHA256SUMS file against a cryptographical signature in the file SHA256SUMS.gpg to make sure you actually have the right file with the right checksums – which you don’t …

robbygee · December 31, 2025, 1:39am

Thanks, that fixed it. That page you have linked is what I’ve been using. All I had to do was use “Save as” like you said and then save it without the .gpg file extension so it doesn’t overwrite the other file. Came back good this time

Thanks again

rubi1200 · December 31, 2025, 4:35am

@robbygee Welcome to Ubuntu Discourse

Glad to hear the issue is resolved now.

Please mark the relevant post as the solution.

This achieves two things:

acknowledges the user who helped you
alerts the community that there is a working solution if they face the same or similar problem

Thanks

system · January 3, 2026, 7:30am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.