Linux – Debian: GPG cannot fetch Linux Kernel key

gpgkernellinuxsignature

I am in the process of recompiling the kernel on Debian. Following the instructions on kernel.org, the first step is to verify the signature. But GPG complains that it cannot find the public key:

# gpg --verify linux-3.12.22.tar.sign 
gpg: Signature made Wed 11 Jun 2014 17:22:35 CEST using RSA key ID 6092693E
gpg: Can't check signature: public key not found

I have tried to fetch the key:

# gpg --recv-keys 6092693E
gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI

I have tried to set the keyserver:

# gpg --keyserver subkeys.pgp.net --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

What is the problem? Thanks.

Software:

Debian GNU/Linux 6
GPG 1.4.10

EDIT: I do have a firewall, but its rules don't block outbound traffic. However, connecting to the keyserver on a different port:

$ gpg --keyserver subkeys.pgp.net:80 --recv-keys 6092693E
gpg: requesting key 6092693E from subkeys.pgp.net:80
gpgkeys: no keyserver host provided
gpg: keyserver internal error
gpg: keyserver receive failed: keyserver error

Best Answer

As error message, you haven't configured gpg server.

Try this:

gpg --keyserver subkeys.pgp.net --recv-keys 6092693E && gpg --export --armor 6092693E \
| sudo apt-key add -

Updated

It seems that you can not connect to server:

gpg: keyserver timed out

Do you have a firewall block port 11371 of hkp service.

You can use port 80 instead of 17371:

gpg --keyserver subkeys.pgp.net:80 --recv-keys 6092693E

Related Solutions

How to check openpgp (gpg) signature against a set of public key blocks

The program gpgv / gpgv2 is used for simple checking of signatures. The problem is that exported key files are not recognized as keyring. Thus you have to create a keyring in the first step:

cd /some/tmp/dir || exit 1
test -f pubring.gpg && { rm -f pubring.gpg || exit 1; }
gpg --no-options --no-default-keyring --keyring ./pubring.gpg \
  --secret-keyring ./secring.gpg --import /etc/ourapp/ourapps_trusted_pubkeys.asc

Now /some/tmp/dir/pubring.gpg is a keyring file gpgv can use:

gpgv --keyring /some/tmp/dir/pubring.gpg \
  /var/lib/ourapp/newcontent.tar.gz.asc /var/lib/ourapp/newcontent.tar.gz

If the data file path is the signature path without .asc (like in your example) then you can leave it out.

GPG – Unable to Verify Kernel Signature ‘Public Key Not Found’

You only need to have the public key in your keyring:

gpg --keyserver subkeys.pgp.net --recv-keys 0x38DBBDC86092693E

(use the long identifier!). If it times out, try again — there are multiple servers, and some of them seem to be having issues currently. apt-key etc. aren't involved in this at all.

Once you have the key in your keyring,

gpg --verify linux-3.18.35.tar.sign

should work.

You can also configure a key server pool instead (this is a good idea anyway):

install gnupg-curl (apt-get install gnupg-curl on Debian);

download the SKS CA

cd ~/.gnupg; wget https://sks-keyservers.net/sks-keyservers.netCA.pem

verify it;
add the following line to your ~/.gnupg/gpg.conf, or change it if it's already present:
```
keyserver hkps://hkps.pool.sks-keyservers.net
```
and set up the certificate by either adding
```
keyserver-options ca-cert-file=/home/.../.gnupg/sks-keyservers.netCA.pem
```
to ~/.gnupg/gpg.conf (for GnuPG 1) or
```
keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /home/.../.gnupg/sks-keyservers.netCA.pem
```
to ~/.gnupg/dirmngr.conf (for GnuPG 2), replacing the ... in the path with the appropriate value for your home directory in both cases.

Once you've done that,

gpg --recv-keys 0x38DBBDC86092693E

should retrieve the key reliably.

If all that fails, you can download and import the key manually:

curl 'http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x38DBBDC86092693E' > gregkh.key
gpg --import gregkh.key

Best Answer

Related Solutions

How to check openpgp (gpg) signature against a set of public key blocks

GPG – Unable to Verify Kernel Signature ‘Public Key Not Found’

Related Question