BAD signature for SHA256SUMS for iso images

J

justsomeuser

New Member
Aug 4, 2025
3
1
3
Hi there,
I can't seem to be able to verify the SHA256SUM file from https://enterprise.proxmox.com/iso/. Is the signature really bad or is it some kind of rookie mistake of mine?

Code: 
gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Thu 24 Jul 2025 04:40:14 PM CEST
gpg:                using RSA key 24B30F06ECC1836A4E5EFECBA7BCD1420BFE778E
gpg: BAD signature from "Proxmox Trixie Release Key <proxmox-release@proxmox.com>" [unknown]

gpg --verify SHA256SUMS.bookworm-key.asc SHA256SUMS
gpg: Signature made Thu 24 Jul 2025 04:40:04 PM CEST
gpg:                using RSA key F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39
gpg: BAD signature from "Proxmox Bookworm Release Key <proxmox-release@proxmox.com>" [unknown]
 
Should I just assume, that there has been a supply chain attack and the iso files are compromised and the hashes have been recalculated by an attacker? :)
 
Thanks for the report, we checked the files and system logs closely.
From that this looks like a fallout of the latest PBS beta ISO upload, while a new SHA256SUM.new file was generated for diffing with the old one to ensure only the new ISO got added and nothing existing changed, but then it was not renamed to the SHA256SUM file. The signature was then generated for an old one, and later when this was detected we moved the file over and made gpg execute the new signature, but as the previous signatures did not get removed beforehand gpg did not overwrite the existing ones, this went unnoticed and thus we had a mismatch in signatures and SHA256SUM file.
This was now corrected, and reverified if the current CDN shows the correct state thanks for your report, we will add some automated checks to ensure upload to CDN is blocked if there is a mismatch to avoid this from happening again, as it's naturally far from ideal.

We cross-checked the hashes from the QA log from the ISO testing we did internally before any public upload, they still match.
 
  • Like
Reactions: Stoiko Ivanov, UdoB and fabian
Thank you very much for the thorough explanation and such a quick remediation! Now I can install the ISO with a clean conscience :).
 
  • Like
Reactions: UdoB
You must log in or register to reply here.
Top Bottom