Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release signed with unknown key #50

Open
barabo opened this issue Nov 7, 2023 · 4 comments
Open

Release signed with unknown key #50

barabo opened this issue Nov 7, 2023 · 4 comments

Comments

@barabo
Copy link

barabo commented Nov 7, 2023

I did find #15 - which did not resolve my issue.

canderson@60-signing-01:~$ gpg --verify yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in 'yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Can't check signature: No public key

canderson@60-signing-01:~$ gpg --recv-key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: keyserver receive failed: Server indicated a failure

canderson@60-signing-01:~$ cat ~/.gnupg/gpg.conf
keyserver hkps://keys.openpgp.org

Also, looking at the list of yubico developers, here - the signing key A8CE167914EEE232B9237B5410CAC4962E03C7CC is not listed on that page.

@barabo
Copy link
Author

barabo commented Nov 7, 2023

For extra context, here's what debug-level 9 reveals.

canderson@60-signing-01:~$ gpg --recv-key --debug-level 9 A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/canderson/.gnupg
gpg: DBG: chan_3 <- # Config: /home/canderson/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.27 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.27
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkps://keys.openpgp.org
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0xA8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

Also, I did find this related issue. So I do believe the signature to be trusted, but I'm confused about why I'm unable to receive the keys with gpg --recv-key.

I've tried both keys.openpgp.org and keyserver.ubuntu.com for my key server config, and neither one worked.

@barabo
Copy link
Author

barabo commented Nov 7, 2023

Aha! For posterity, I'll post how I resolved this here.

I went to the key download link for Aveen and downloaded the listed key, then imported it as a file.

canderson@60-signing-01:~$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
--2023-11-07 21:29:54--  https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
Resolving keys.openpgp.org (keys.openpgp.org)... 37.218.245.50, 2a00:c6c0:0:154:1::1
Connecting to keys.openpgp.org (keys.openpgp.org)|37.218.245.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34377 (34K) [application/pgp-keys]
Saving to: ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’

1D7308B0055F5AEF36944A8F27A9C24D9588EA0F     100%[==============================================================================================>]  33.57K  --.-KB/s    in 0s

2023-11-07 21:29:55 (237 MB/s) - ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’ saved [34377/34377]

canderson@60-signing-01:~$ gpg --import 1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
gpg: key 27A9C24D9588EA0F: public key "Aveen Ismail <aveen.ismail@yubico.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

canderson@60-signing-01:~$ gpg --verify ./yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in './yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694  4A8F 27A9 C24D 9588 EA0F
     Subkey fingerprint: A8CE 1679 14EE E232 B923  7B54 10CA C496 2E03 C7CC

Also note, @aveenismail - your subkey is expired! ;-)

@barabo
Copy link
Author

barabo commented Nov 9, 2023

I should add that the instructions for importing developer keys listed in the documentation are not complete. When a release is signed with a subkey, it's not clear which primary key needs to be imported in order to verify the release. I don't know if the keyserver is supposed to determine whether the key fingerprint is a subkey and also import the primary key, but this wasn't working.

@aveenismail
Copy link
Member

@barabo Thank you for the notification and apologies for the confusion. My key isn't actually expired but I seem to have missed uploading it to keys.openpgp.org after renewal. I just uploaded it now so hopefully the expired warning shouldn't be displayed again. Please let me know if the problem persists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants