Issue importing dev keys

tebin · September 26, 2019, 12:43pm

As per:
https://wiki.debian.org/FreedomBox/Download#Verifying_the_Downloaded_Images

on Debian I get:

gpg --verbose --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg: data source: https://keys.openpgp.org:443
gpg: pub rsa4096/77C0C75E7B650808 2015-06-07
gpg: key 77C0C75E7B650808: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1

and similarly with the other key listed in that Freedombox page section linked.
I’m not new to GnuPG, but I don’t get this.
Because:
gpg --verbose --list-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg: using pgp trust model
gpg: error reading key: No public key

What’s wrong, or what am I missing?

It’s similar to these issues:

in the wild.

tebin · September 26, 2019, 1:25pm

Indeed, gpg can’t verify this image:

gpg --verify freedombox-stable-free_buster_a20-olinuxino-lime2-armhf.img.xz.sig freedombox-stable-free_buster_a20-olinuxino-lime2-armhf.img.xz
gpg: Signature made Wed 10 Jul 2019 08:42:27 UTC
gpg: using RSA key 013D86D8BA32EAB4A6691BF85D4153D6FE188FC8
gpg: Can’t check signature: No public key

sunil · September 27, 2019, 5:44pm

@tebin, thank you for reporting this. I can confirm the behavior on my machine. This seems to be a problem with the default keyserver keys.openpgp.org. Other keyservers seem to work.

gpg --keyserver keys.gnupg.net --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg --keyserver sks-keyservers.net --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg --keyserver keyserver.ubuntu.com --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808

I will update the manual page.

sunil · September 27, 2019, 5:49pm

I have updated the manual page.

jvalleroy · September 29, 2019, 2:51pm

Just to add more detail: keys.openpgp.org is no longer a standard SKS keyserver. See https://keys.openpgp.org/about/faq.

tebin · October 4, 2019, 2:28am

It is again:
https://tracker.debian.org/pkg/gnupg2/rss
where find “use keys.openpgp.org as the default keyserver” for gnupg2 (2.2.12-1+deb10u1) buster in late August 2019.

jvalleroy · October 4, 2019, 12:09pm

@tebin It is the default keyserver for gnupg, but it is not part of SKS pool.

tebin · October 5, 2019, 9:36am

I wish I was wrong, but I’m not.

It is the default keyserver for gnupg,

and the default for buster, and likely other distro testing suites. I have it not because I did the change, but because of Debian team following upstream change.

but it is not part of SKS pool.

And the SKS pool has been ditched (they do cite the reason in the mail when users “apt-get upgrade”, but I can’t remember it) in favor of the old keys.openpgpg.org.

vincentvd · March 25, 2023, 1:22pm

For the record: I also had trouble importing the keys. The solution for me was changing the key server URL from keyserver.ubuntu.com to hkp://keyserver.ubuntu.com:80. Not sure why but it works.

Source: ubuntu - keyserver receive failed (on every keyserver available) - Unix & Linux Stack Exchange