Retrieve public keys that signed a key I have

gnupgopenpgp

I am trying to figure out how to do the following in one command.

I have an ISO image along with its signature file *.sig. I tried to verify it via GnuPG 2 but it reported a missing public key giving me its fingerprint. I have successfully retrieved a key using the following

gpg2 --keyserver hkp://keys.gnupg.net --recv-key <fingerprint>

but when I checked the key

gpg2 --edit-key <KEY ID>

followed by

gpg> check

I have got this message:

27 signatures not checked due to missing keys

How can I retrieve all these keys to check that the key I have got is trusted?

Best Answer

You're not missing keys for the ISO's signature, but keys which issued certifications on the key that signed the image.

GnuPG does not recursively download other keys, you will have to do this on your own (for example, by running a command line like the one you proposed in the comments). But be aware that the certificates provided by other keys do not already assert the key's valid, it is very easy to generate whole networks of keys that even mimic the real OpenPGP web of trust like performed in the Evil 32 attack. If you want to validate some key by checking certifications, always build a trust path that ends at your own key (or some other key you verified through another medium, for example by meeting the person).

Related Solutions

Verifying files with GPG, without a .sig or .asc file

Received an explanation from the GNU/GCC team about this, and the .sig files were missing due to an error with file replication to their mirror servers. From the team:

Interestingly, the .sig files are only on the GNU server (e.g., http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/) but not on the GCC server (e.g., ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/). As the latter is used by the mirrors, it is also not available on the mirrors.

I found the .sig files on the GNU server like they suggested, but then had to dig some more to find the "GNU keyring file" required to actually verify the signature. All in all, the verification process was:

$ wget http://www.netgull.com/gcc/releases/gcc-4.8.0/gcc-4.8.0.tar.gz
$ wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/gcc-4.8.0.tar.gz.sig
$ wget ftp://ftp.gnu.org/gnu/gnu-keyring.gpg
$ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig

gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2 C3C4 5C06

Hopefully this helps anyone else trying to verify a tarball downloaded from one of GCC's mirror sites.

Verify GPG tarballs from command line with signer’s public key block

We have to import the keys before checking the signature.

$ gpg --import gpg-signers.pem
gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported
$ gpg --verify libassuan-2.2.0.tar.bz2.sig libassuan-2.2.0.tar.bz2
gpg: Signature made Thu 11 Dec 2014 21:13:07 JST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"

If we don't want the keys to be stored in the local database permanently, use a disposable keyring.

$ gpg --no-default-keyring --keyring 1.keyring --import gpg-signers.pem
gpg: keyring 1.keyring created
...
$ gpg --no-default-keyring --keyring 1.keyring --verify ...
...
$ trash 1.keyring

By design, we receive keys out-of-band.

Though not as convenient as HTTPS, we can download Werner Koch's public key by gpg --recv-key 4F25E3B6. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.

Best Answer

Related Solutions

Verifying files with GPG, without a .sig or .asc file

Verify GPG tarballs from command line with signer’s public key block

Related Question