GPG – Unable to Verify Kernel Signature ‘Public Key Not Found’

gpg

In order to compile a new kernel on my Debian jessie, I am trying to verify the GPG key , following the instruction on the official website.

I have download the the linux-3.18.35.tar.sign and linux-3.18.35.tar.xz version and unzip it using unzx.

To verify the .tar archive using the command :

gpg --verify linux-3.18.35.tar.sign

I get:

gpg: assuming signed data in `linux-3.18.35.tar'
gpg: Signature made Wed 08 Jun 2016 01:19:29 AM CET using RSA key ID 6092693E
gpg: Can't check signature: public key not found

To get the public key from the PGP keyserver :

#gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

gpg: requesting key 6092693E from hkp server keys.gnupg.net
?: keys.gnupg.net: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I get a similar problem with the 4.4.13 version too.

I have tried the following answer,

# gpg --keyserver subkeys.pgp.net --recv-keys 6092693E && gpg --export --armor 6092693E | sudo apt-key add -

gpg: requesting key 6092693E from hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

And:

# gpg --keyserver subkeys.pgp.net:80 --recv-keys 6092693E

gpg: requesting key 6092693E from subkeys.pgp.net:80
gpgkeys: no keyserver host provided
gpg: keyserver internal error
gpg: keyserver receive failed: keyserver error

How to verify the kernel signature correctly?

Best Answer

You only need to have the public key in your keyring:

gpg --keyserver subkeys.pgp.net --recv-keys 0x38DBBDC86092693E

(use the long identifier!). If it times out, try again — there are multiple servers, and some of them seem to be having issues currently. apt-key etc. aren't involved in this at all.

Once you have the key in your keyring,

gpg --verify linux-3.18.35.tar.sign

should work.

You can also configure a key server pool instead (this is a good idea anyway):

install gnupg-curl (apt-get install gnupg-curl on Debian);

download the SKS CA

cd ~/.gnupg; wget https://sks-keyservers.net/sks-keyservers.netCA.pem

verify it;
add the following line to your ~/.gnupg/gpg.conf, or change it if it's already present:
```
keyserver hkps://hkps.pool.sks-keyservers.net
```
and set up the certificate by either adding
```
keyserver-options ca-cert-file=/home/.../.gnupg/sks-keyservers.netCA.pem
```
to ~/.gnupg/gpg.conf (for GnuPG 1) or
```
keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /home/.../.gnupg/sks-keyservers.netCA.pem
```
to ~/.gnupg/dirmngr.conf (for GnuPG 2), replacing the ... in the path with the appropriate value for your home directory in both cases.

Once you've done that,

gpg --recv-keys 0x38DBBDC86092693E

should retrieve the key reliably.

If all that fails, you can download and import the key manually:

curl 'http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x38DBBDC86092693E' > gregkh.key
gpg --import gregkh.key

Related Solutions

Skype missing GPG key

See here how to install Skype on Scientific 6. Basically, you shouldn't do the check by yourself.

I will outline the steps here:

# yum install alsa-lib.i686 dbus-libs.i686 e2fsprogs-libs.i686 expat.i686 fontconfig.i686 freetype.i686 glib2.i686 glibc.i686 keyutils-libs.i686 krb5-libs.i686 libcap.i686 libgcc.i686 libICE.i686 libpng.i686 libselinux.i686 libSM.i686 libstdc++.i686 libX11.i686 libXau.i686 libxcb.i686 libXcursor.i686 libXdmcp.i686 libXext.i686 libXfixes.i686 libXi.i686 libXinerama.i686 libXrandr.i686 libXrender.i686 libXScrnSaver.i686 libXv.i686 openssl.i686 qt.i686 qt-x11.i686 zlib.i686
# gedit /etc/yum.repos.d/skype.repo

In the file above you basically post the following:

[skype]
name=Skype Repository
baseurl=http://download.skype.com/linux/repos/fedora/updates/i586/
enabled=1
gpgkey=http://www.skype.com/products/skype/linux/rpm-public-key.asc
gpgcheck=0

# yum install skype
# chmod a+x /usr/bin/skype

If you have problems with Video Chat do the following:

# mv /usr/bin/skype /usr/bin/skype.proper
# cat << EOF > /usr/bin/skype
#!/bin/bash
LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so
skype.proper
EOF

The old Skype executable has been renamed skype.proper.

UPDATE:

i have done some Google research about the GPG key for skype, but no one seems to have it, as you can see here and here (at the skype forums), and here too, and here is the Google page with the search i have done and it full with complains about the missing key.

I would recommend, to install Skype with either the instructions above, or to download it directly from the skype website here.

How to check openpgp (gpg) signature against a set of public key blocks

The program gpgv / gpgv2 is used for simple checking of signatures. The problem is that exported key files are not recognized as keyring. Thus you have to create a keyring in the first step:

cd /some/tmp/dir || exit 1
test -f pubring.gpg && { rm -f pubring.gpg || exit 1; }
gpg --no-options --no-default-keyring --keyring ./pubring.gpg \
  --secret-keyring ./secring.gpg --import /etc/ourapp/ourapps_trusted_pubkeys.asc

Now /some/tmp/dir/pubring.gpg is a keyring file gpgv can use:

gpgv --keyring /some/tmp/dir/pubring.gpg \
  /var/lib/ourapp/newcontent.tar.gz.asc /var/lib/ourapp/newcontent.tar.gz

If the data file path is the signature path without .asc (like in your example) then you can leave it out.

Best Answer

Related Solutions

Skype missing GPG key

How to check openpgp (gpg) signature against a set of public key blocks

Related Question