The instructions at https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3 suggest that you can download an ISO to install an operating system, along with the checksums and a signature. Next, try to verify the signature with
gpg --keyid-format long - check SHA256SUMS.gpg SHA256SUMS
which, if you still do not have the required keys, will give an error like:
gpg: Signature made Thu Apr 5 22:19:36 2018 EDT using the key DSA ID 46181433FBB75451 gpg: Unable to verify signature: no public key gpg: Signature made Thu Apr 5 22:19:36 2018 EDT using the key RSA ID D94AA3F0EFE21092 gpg: Unable to verify signature: no public key
Then he suggests that "This is a really useful message …" since it tells us what keys to download. Then proceed to tell the user how to download keys from a key server.
What I do not understand is this: if somehow I downloaded a compromised file, why would I trust the key IDs that are given to me when I try to verify the file? If the file is compromised, it could be signed with a different key. My understanding of key servers is that anyone can load keys, and they stay synchronized with each other, and in doing so
gpg --keyid-format long --keyserver hkp: //keyserver.ubuntu.com --recv-keys ... I would simply download the wrong key, tell me that the file was checked and I was attracted to a false sense of security. What have I missed?