Missing public key after ftp.pcre.org retirement.

[alexlevinfr]

Please could you republish the public key for pcre - without this it is impossible to verify pcre releases to prevent supply chain vulnerabilities.
It was previously on ftp.pcre.org at https://ftp.pcre.org/pub/pcre/Public-Key - I see other failures in the wild.http://exim.mirror.iphh.net/ftp/pcre/Public-Key is not a valid key - the one we need is 45F68D54BBE23FB3039B46E59766E084FB0F43D8
eg I imported that key, and it

C02DC0SHMD6W:web-agents alex.levin$ gpg --import ~/Downloads/Public-Key
gpg: key 9766E084FB0F43D8: public key "Philip Hazel [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1
C02DC0SHMD6W:web-agents alex.levin$ gpg --verify libs/pcre2-10.39.tar.gz.sig ph.gpg
gpg: Signature made Fri 29 Oct 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: BAD signature from "Philip Hazel [email protected]" [unknown]

[PhilipHazel]

I have been trying to upload my public key to GitHub, but (after a lot of tedious cutting and pasting), it fails with the message "We got an error doing that". The key is, I believe, available on keyserver.ubuntu.com and keys.gnupg.net - at least when I search them for my name it finds something. I will continue to pursue this, but I'm not an expert on GnuPG.

[PhilipHazel]

Yay! I managed to figure out what I was doing wrong. I believe I have now uploaded the key to GitHub.

[alexlevinfr]

Hi Philip,
Thanks for your efforts so far.
I see the key which is great, but I still fail to verify the signature:
I first removed all keys relating to your uid
curl https://github.com/FullName.gpg -o lib/ph.gph
gpg --import lib/ph.gpg
gpg --check-signatures
~/.gnupg/pubring.kbx
pub rsa2048 2002-10-21 [SC]
45F68D54BBE23FB3039B46E59766E084FB0F43D8
uid [ unknown] Full Name [email protected]
sig!3 9766E084FB0F43D8 2021-03-25 Full Name [email protected]
uid [ unknown] Full Name [email protected]
sig!3 9766E084FB0F43D8 2007-05-02 Full Name [email protected]
sig!3 9766E084FB0F43D8 2006-03-14 Full Name [email protected]
uid [ unknown] Full Name [email protected]
sig!3 9766E084FB0F43D8 2002-10-21 Full Name [email protected]
sig!3 9766E084FB0F43D8 2002-10-21 Full Name [email protected]
uid [ unknown] Full Name [email protected]
sig!3 9766E084FB0F43D8 2002-10-23 Full Name [email protected]
sub rsa2048 2002-10-21 [E]
sig! 9766E084FB0F43D8 2002-10-21 Full Name [email protected]

gpg: 20 good signatures
gpg: 719 signatures not checked due to missing keys
$ gpg --verify libs/pcre2-10.39.tar.gz.sig
gpg: assuming signed data in 'libs/pcre2-10.39.tar.gz'
gpg: Signature made Fri 29 Oct 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: BAD signature from "Full Name [email protected]" [unknown]

I think if you try this on a new system you would be able to reproduce this, and probably that the system used to sign this is using a different private key which doesn't correspond to this one.

[PhilipHazel]

I'm afraid I am a very naive GPG user, having to consult the manual for my every move. I can check the signatures, for example:

$ gpg --verify Releases/pcre2-10.39.zip.sig Releases/pcre2-10.39.zip
gpg: Signature made Fri Oct 29 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel [email protected]" [ultimate]
gpg: aka "Philip Hazel [email protected]" [ultimate]
gpg: aka "Philip Hazel [email protected]" [ultimate]
gpg: aka "Philip Hazel [email protected]" [ultimate]

This is, of course, using the keys in my keyring on my desktop computer, not the exported one. (The .tar.gz file verifies the same.) I don't have any other systems I can try this on. I wonder if others are having the same problem? Can anyone else who is reading this give advice?

[PhilipHazel]

I have succeeded in recovering a copy of the file called Public-Key that was on ftp.pcre.org. It is a different, much shorter file than what I get from "gpg export". I don't know how to discover what kind of key it is.

[MatthewVernon]

I did as follows, and it works for me:

# download key
gpg --keyserver keyserver.ubuntu.com --search-keys [email protected]
gpg: data source: http://162.213.33.9:11371
(1)     Philip Hazel <[email protected]>
        Philip Hazel <[email protected]>
        Philip Hazel <[email protected]>
        Philip Hazel <[email protected]>
          2048 bit RSA key 9766E084FB0F43D8, created: 2002-10-21
Keys 1-1 of 1 for "[email protected]".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 9766E084FB0F43D8: 3 duplicate signatures removed
gpg: key 9766E084FB0F43D8: 116 signatures not checked due to missing keys
gpg: key 9766E084FB0F43D8: public key "Philip Hazel <[email protected]>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1
# verify
gpg --verify pcre2-10.39.zip.sig pcre2-10.39.zip
gpg: Signature made Fri 29 Oct 2021 17:07:03 BST
gpg:                using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel <[email protected]>" [unknown]
gpg:                 aka "Philip Hazel <[email protected]>" [unknown]
gpg:                 aka "Philip Hazel <[email protected]>" [unknown]
gpg:                 aka "Philip Hazel <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B  46E5 9766 E084 FB0F 43D8

[alexlevinfr]

Downloaded the two files (sig and tar.gz) again, and verifying ok with either the publickey I downloaded yesterday or the ubuntu version. apologies.
C02DC0SHMD6W:web-agents alex.levin$ gpg --import libs/ph.gpg
gpg: key 9766E084FB0F43D8: 65 signatures not checked due to missing keys
gpg: key 9766E084FB0F43D8: public key "Philip Hazel [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-03-11
C02DC0SHMD6W:web-agents alex.levin$ gpg --verify ~/Downloads/pcre2-10.39.tar.gz.sig ~/Downloads/pcre2-10.39.tar.gz
gpg: Signature made Fri 29 Oct 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B 46E5 9766 E084 FB0F 43D8
C02DC0SHMD6W:web-agents alex.levin$ gpg --delete-key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg (GnuPG/MacGPG2) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub rsa2048/9766E084FB0F43D8 2002-10-21 Philip Hazel [email protected]

Delete this key from the keyring? (y/N) y
C02DC0SHMD6W:web-agents alex.levin$ gpg --verify libs/pcre2-10.39.tar.gz.sig libs/pcre2-10.39.tar.gz
gpg: can't open signed data 'libs/pcre2-10.39.tar.gz'
gpg: can't hash datafile: No such file or directory
C02DC0SHMD6W:web-agents alex.levin$ gpg --verify ~/Downloads/pcre2-10.39.tar.gz.sig
gpg: assuming signed data in '/Users/alex.levin/Downloads/pcre2-10.39.tar.gz'
gpg: Signature made Fri 29 Oct 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: key 9766E084FB0F43D8: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
gpg: Can't check signature: No public key
C02DC0SHMD6W:web-agents alex.levin$ gpg --keyserver keyserver.ubuntu.com --search-keys [email protected]
gpg: data source: http://162.213.33.8:11371
(1) Philip Hazel [email protected]
Philip Hazel [email protected]
Philip Hazel [email protected]
Philip Hazel [email protected]
2048 bit RSA key 9766E084FB0F43D8, created: 2002-10-21
Keys 1-1 of 1 for "[email protected]". Enter number(s), N)ext, or Q)uit > 1
gpg: key 9766E084FB0F43D8: 1 duplicate signature removed
gpg: key 9766E084FB0F43D8: public key "Philip Hazel [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1
C02DC0SHMD6W:web-agents alex.levin$ gpg --verify ~/Downloads/pcre2-10.39.tar.gz.sig
gpg: assuming signed data in '/Users/alex.levin/Downloads/pcre2-10.39.tar.gz'
gpg: Signature made Fri 29 Oct 17:07:03 2021 BST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: aka "Philip Hazel [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B 46E5 9766 E084 FB0F 43D8