-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release signed with unknown key #50
Comments
For extra context, here's what
Also, I did find this related issue. So I do believe the signature to be trusted, but I'm confused about why I'm unable to receive the keys with I've tried both |
Aha! For posterity, I'll post how I resolved this here. I went to the key download link for Aveen and downloaded the listed key, then imported it as a file. canderson@60-signing-01:~$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
--2023-11-07 21:29:54-- https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
Resolving keys.openpgp.org (keys.openpgp.org)... 37.218.245.50, 2a00:c6c0:0:154:1::1
Connecting to keys.openpgp.org (keys.openpgp.org)|37.218.245.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34377 (34K) [application/pgp-keys]
Saving to: ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’
1D7308B0055F5AEF36944A8F27A9C24D9588EA0F 100%[==============================================================================================>] 33.57K --.-KB/s in 0s
2023-11-07 21:29:55 (237 MB/s) - ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’ saved [34377/34377]
canderson@60-signing-01:~$ gpg --import 1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
gpg: key 27A9C24D9588EA0F: public key "Aveen Ismail <aveen.ismail@yubico.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
canderson@60-signing-01:~$ gpg --verify ./yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in './yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg: using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694 4A8F 27A9 C24D 9588 EA0F
Subkey fingerprint: A8CE 1679 14EE E232 B923 7B54 10CA C496 2E03 C7CC Also note, @aveenismail - your subkey is expired! ;-) |
I should add that the instructions for importing developer keys listed in the documentation are not complete. When a release is signed with a subkey, it's not clear which primary key needs to be imported in order to verify the release. I don't know if the keyserver is supposed to determine whether the key fingerprint is a subkey and also import the primary key, but this wasn't working. |
@barabo Thank you for the notification and apologies for the confusion. My key isn't actually expired but I seem to have missed uploading it to keys.openpgp.org after renewal. I just uploaded it now so hopefully the expired warning shouldn't be displayed again. Please let me know if the problem persists. |
I did find #15 - which did not resolve my issue.
Also, looking at the list of yubico developers, here - the signing key
A8CE167914EEE232B9237B5410CAC4962E03C7CC
is not listed on that page.The text was updated successfully, but these errors were encountered: