CertUtil -hashfile lubuntu-22.04.3-desktop-amd64.iso SHA256
This one works out fine.
But not this one:
gpg: Signature made 10.08.2023 19.42.34 Vest-Europa (sommertid)
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can’t check signature: No public key
PS C:\Users\Me\Downloads>
This is done in Windows 10. I’ve already gone through the steps for Linux Mint Mate without problems. So what is the problem here?
I think it should be enough for you to be sure that your ISO file is good, if you get the following SHA256SUM (double-checked via me and discourse.lubuntu.me and not only from the download web address),
In Linux the following method works to use the gpg-file. I am not sure what works in Windows, but I think there is a text mode version of gpg, that can be run in a command line window in a similar way.
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys x46181433FBB75451 0xD94AA3F0EFE21092
Download also the file SHA256SUMS from where you downloaded the ISO file. It should contain the same as the output from the sha256sum command line above.
Run the following command and get an output similar to what I get (but maybe in Norwegian, if you don’t force English),
$ LANG=C gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made tor 10 aug 2023 19:42:34 CEST
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
Then there is reason to trust that nobody else has written the checksums. The text might be translated to your local language, but it should be clear that it is a ‘Good signature from “Ubuntu CD Image Automatic Signing Key (2012) cdimage@ubuntu.com”’.
The warning “This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner.” means that there is no chain of trusted keys between your computer’s keyring and the key, that was used to sign the checksums.
That warning means that this is the best possible verification, although not 100%. It is difficult to establish a chain of trusted keys between your computer’s keyring and the key, I think not feasible for a private person using free software.