"Bad signature" message trying to verify sha256sum file

acanard

From the Download | Solus page, I downloaded the SHA256SUMS: File | Signed File | Public Key (all three files) for the XFCE version and imported the public key using gpg --import solus-releng-pub.gpg (on Linux Mint).

When I tried to verify the file, this is the result:

$ gpg --verify Solus-XFCE-Beta-Release-2025-01-26.iso.sha256sum.sign Solus-XFCE-Beta-Release-2025-01-26.iso.sha256sum
gpg: Signature made Fri 24 Jan 2025 07:31:28 PM EST
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: BAD signature from "Solus (Release & Engineering) <releng@getsol.us>" [unknown]

Thinking that the "BAD signature" message might only apply to the XFCE version, I downloaded and verified the Budgie sha256sum, with the same result:


$ gpg --verify Solus-Budgie-Release-2025-01-26.iso.sha256sum.sign Solus-Budgie-Release-2025-01-26.iso.sha256sum
gpg: Signature made Fri 24 Jan 2025 07:31:20 PM EST
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: BAD signature from "Solus (Release & Engineering) <releng@getsol.us>" [unknown]

Is there something I need to do differently to verify the sha256sum file?

EbonJaeger

Sorry about that, there was an issue caused by renaming the ISO files; we decided to release a day early. This should be fixed now if you re-download the sha256sum files.

acanard

Thanks! I downloaded the sha256sum files (and the .sign files) again, and they now produce the desired output:

$ gpg --verify Solus-XFCE-Beta-Release-2025-01-26.iso.sha256sum.sign Solus-XFCE-Beta-Release-2025-01-26.iso.sha256sum
gpg: Signature made Sun 26 Jan 2025 09:43:58 PM EST
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: Good signature from "Solus (Release & Engineering) <releng@getsol.us>" [unknown]

Huzzah! Solved!