GPG signature incorrect for Vivid's SHA1SUMS

Aliz 'Randomdude' randomdude at gmail.com
Mon Aug 17 21:23:03 UTC 2015 

Hi list.

I'm unable to validate the gpg signature located at
http://releases.ubuntu.com/vivid/SHA1SUMS.gpg correctly, though I can
validate SHA256SUMS and MD5SUMS files.

user at box:~$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Mon 03 Aug 2015 05:52:38 PM BST using DSA key ID FBB75451
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>"

Other files verify correctly.

user at box:~$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Mon 03 Aug 2015 05:52:04 PM BST using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
user at box:~$ gpg --verify MD5SUMS.gpg MD5SUMS
gpg: Signature made Mon 03 Aug 2015 05:52:04 PM BST using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

The hashes themselves seem to be correct:

user at box:~$ cat SHA1SUMS | sha1sum -c
ubuntu-15.04-desktop-amd64.iso: OK
[ other output omitted ]

Am I doing something dumb here? I almost didn't send this email - I'm
going to look so stupid if I've got a misconfiguration somewhere! I've
tried this on different boxes, from different internet connections,
and even gotten my internet friends to try it -

Hashes of the files themselves:

user at box:~$ sha256sum *
5e697c5f2f72c6262dfa6b9aa7d029026fd9b1163ab795ad84a01e17b19ee221  MD5SUMS
6e8496eaa18930b5123f3bdb92bc59c9a9dfcba54eec5c248649cbc443885d54  MD5SUMS.gpg
2eb2cb49df34c79975974172f6c4db8ff2df62108e751ba72fa7206403a37516  SHA1SUMS
1f6396906f928ee26a4a6f698c3cb6ee7791fabe541b0e79c54e638da3c79183  SHA1SUMS.gpg
14dd3d068a5e7db6d4bed18017d936655f7e0ea9f7c7862835cbd699e85feac4  SHA256SUMS
ee3505e09b73bff08389846efedc86f3c06be860220a6569825c33e3544e8d57  SHA256SUMS.gpg

Relevant file sizes:
user at box:~$ ls -l SHA1SUMS SHA1SUMS.gpg
-rw-rw-r-- 1 user user 612 Aug  3 17:52 SHA1SUMS
-rw-rw-r-- 1 user user 198 Aug  3 17:52 SHA1SUMS.gpg

The signature I'm unable to verify:
user at box:~$ cat SHA1SUMS.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEABECAAYFAlW/nFYACgkQRhgUM/u3VFE76gCfXUS9L+mJyRkhdGNNyQWi4A8J
naEAnjS722DJQuhpNvVIFr1DifrRFkfU
=AnSp
-----END PGP SIGNATURE-----

More information about the Ubuntu-release mailing list