The reason is irrelevant. It could be anything.
You have to download proper iso img in order to install Kali and for that use torrtent rather then direct iso.
I've been watching this thread for a while, and signed up to seek clarification on the same issue as others are having regarding the hashes & signature.
Please excuse my confusion, I thought the entire focus of Kali Linux is security, yet the official ISO images should be treated as insecure (from advice in the official installation guide about the hashes / signature)???
What I did:
1. Kali's official GPG key was downloaded and verified:
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <
[email protected]>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
2. I then downloaded the torrent using the official link from kali.org for 64bit: http://images.kali.org/kali-linux-2.0-amd64.torrent
This download has TWO files (not the expected THREE) kali-linux-2.0-amd64.iso, kali-linux-2.0-amd64.txt.sha1sum (There is no kali-linux-2.0-amd64.txt.sha1sum.gpg)
3. SHA1 sum check of the ISO (kali-linux-2.0-amd64.iso) matches the SHA1 text file generated when the download is initiated (kali-linux-2.0-amd64.txt.sha1sum)
$ shasum kali-linux-2.0-amd64.iso
aaeb89a78f155377282f81a785aa1b38ee5f8ba0 kali-linux-2.0-amd64.iso
$ cat kali-linux-2.0-amd64.txt.sha1sum
aaeb89a78f155377282f81a785aa1b38ee5f8ba0 kali-linux-2.0-amd64.iso
This match proves that what I downloaded is what was sent, and it was not tampered in transit.
4. Using the SHA1SUMS.gpg from the Kali Download Server http://kali.muzzy.org.uk/kali-images/kali-2.0/SHA1SUMS.gpg
$gpg --verify SHA1SUMS.gpg kali-linux-2.0-amd64.txt.sha1sum
gpg: Signature made Tue 11 Aug 2015 14:35:26 BST using RSA key ID 7D8D0BF6
gpg: BAD signature from "Kali Linux Repository <
[email protected]>"
A BAD signature indicates that the SHA1 hash in the file kali-linux-2.0-amd64.txt.sha1sum was not signed by Kali developers, and thus the ISO is not made by them.
Conclusion
I believe the BAD signature is because SHA1SUMS.gpg is a signed version of SHA1SUMS which contains ALL the ISO hashes, and there is no SHA1SUMS.gpg for each ISO -which is what I'm thinking is needed, right?
QUESTION: Where can I obtain kali-linux-2.0-amd64.txt.sha1sum.gpg to verify the downloaded ISO?
P.S. The sticky post about hashes seems outdated? https://forums.kali.org/showthread.php?18456-Kali-Linux-SHA-1-Hashes