[SOLVED] help with gpg keys

slugman · 01-16-2015, 09:45 PM

Hey everyone,

quick question... I was trying to verify the firefox34 package in Slackware64-current, however, when I run verify:

Code:

gpg --verify firefox-34.0.5.source.tar.bz2.asc

gpg tells me that I don't have the public key in my keyring.

According to the output, it looks like the RSA key ID for the gpg key is: 15A0A4BC

Code:

gpg: Signature made Wed 26 Nov 2014 05:34:42 AM MST using RSA key ID 15A0A4BC
gpg: Can't check signature: public key not found

I have the slackware security teams public key (which has a different ID btw). I thought the GPG key used in each release/current is the same slackware security public key.

Is there something I'm missing? Or was this a mistake?

When I checked the asc signature of a different patch (example I picked was apr-1.5.0-x86_64-1_slack14.1.txz.asc), it comes up with the expected "Good signature," result.

Any thoughts?

Diego

veerain · 01-16-2015, 10:40 PM

Then download/check the pgp keyserver for public key. http://pgp.mit.edu

slugman · 01-16-2015, 11:00 PM

Hey, thanks for the quick reply veerain. Unfortunately, no results were found matching that ID.

slugman · 01-16-2015, 11:12 PM

Hey veerain, that was the right direction though.

I searched for the key here: http://www.chmod.org/cgi/keylookup.cgi.

It belongs to mozilla software release team. Now i understand, the source should be verified against that public key, because they were the ones that developed it. I thought the asc was signed against the slackware pgp.

With the mozilla public key in my keyring, it verifies correctly now.

Diego

qweasd · 01-16-2015, 11:26 PM

I know I am too late to the party, but wrestling with gpg is something I like doing late at night... Sometimes I think whoever wrote the thing tried to obfuscate the interface of purpose. Anyway, I found that short key IDs such as 15A0A4BC are pants and -vvvv is the magic word to show the long key ID.

Code:

$ gpg --verify -vvvv firefox-34.0.5.source.tar.bz2.asc
gpg: using character set `utf-8'
gpg: armor: BEGIN PGP SIGNATURE
Version: GnuPG v2.0.14 (GNU/Linux)
:signature packet: algo 1, keyid 057CC3EB15A0A4BC
        version 4, created 1417005282, md5len 0, sigclass 0x00
        digest algo 2, begin of digest 08 9c
        hashed subpkt 2 len 4 (sig created 2014-11-26)
        subpkt 16 len 8 (issuer key ID 057CC3EB15A0A4BC)
        data: [4094 bits]
gpg: armor header: 
gpg: no signed data
gpg: can't hash datafile: No data

And then it works, at least with 0x prefix, at least on some keyservers:

Code:

$ gpg --search-keys 0x057CC3EB15A0A4BC
gpg: searching for "0x057CC3EB15A0A4BC" from hkp server subkeys.pgp.net
(1)     Mozilla Software Releases <releases@mozilla.org>
          4096 bit RSA key 3A06537A, created: 2013-07-16