Issue importing dev keys

As per:
https://wiki.debian.org/FreedomBox/Download#Verifying_the_Downloaded_Images

on Debian I get:

gpg --verbose --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg: data source: https://keys.openpgp.org:443
gpg: pub rsa4096/77C0C75E7B650808 2015-06-07
gpg: key 77C0C75E7B650808: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1

and similarly with the other key listed in that Freedombox page section linked.
I’m not new to GnuPG, but I don’t get this.
Because:
gpg --verbose --list-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg: using pgp trust model
gpg: error reading key: No public key

What’s wrong, or what am I missing?

It’s similar to these issues:


in the wild.

1 Like

Indeed, gpg can’t verify this image:

gpg --verify freedombox-stable-free_buster_a20-olinuxino-lime2-armhf.img.xz.sig freedombox-stable-free_buster_a20-olinuxino-lime2-armhf.img.xz
gpg: Signature made Wed 10 Jul 2019 08:42:27 UTC
gpg: using RSA key 013D86D8BA32EAB4A6691BF85D4153D6FE188FC8
gpg: Can’t check signature: No public key

@tebin, thank you for reporting this. I can confirm the behavior on my machine. This seems to be a problem with the default keyserver keys.openpgp.org. Other keyservers seem to work.

gpg --keyserver keys.gnupg.net --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg --keyserver sks-keyservers.net --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808
gpg --keyserver keyserver.ubuntu.com --recv-keys 7D6ADB750F91085589484BE677C0C75E7B650808

I will update the manual page.

I have updated the manual page.

1 Like

Just to add more detail: keys.openpgp.org is no longer a standard SKS keyserver. See https://keys.openpgp.org/about/faq.

It is again:
https://tracker.debian.org/pkg/gnupg2/rss
where find “use keys.openpgp.org as the default keyserver” for gnupg2 (2.2.12-1+deb10u1) buster in late August 2019.

@tebin It is the default keyserver for gnupg, but it is not part of SKS pool.

I wish I was wrong, but I’m not.

It is the default keyserver for gnupg,

and the default for buster, and likely other distro testing suites. I have it not because I did the change, but because of Debian team following upstream change.

but it is not part of SKS pool.

And the SKS pool has been ditched (they do cite the reason in the mail when users “apt-get upgrade”, but I can’t remember it) in favor of the old keys.openpgpg.org.