Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu image fails to verify on Admin Workstation when following instructions #5082

Closed
simonft opened this issue Dec 19, 2019 · 1 comment · Fixed by #5098
Closed

Ubuntu image fails to verify on Admin Workstation when following instructions #5082

simonft opened this issue Dec 19, 2019 · 1 comment · Fixed by #5098

Comments

@simonft
Copy link

simonft commented Dec 19, 2019

Description

When downloading and verifying Ubuntu following the instructions in the documentation, gpg --recv-key fails to add the ubuntu key when using the default keyserver on Tails (keys.openpgp.org, or at least a tor hidden service claiming to be that). It shows the message gpg: key 0x46181433FBB75451: new key but contains no user ID - skipped". The actual verify command then gives the message "gpg: Can't check signature: No public key"

This stackoverflow post claims keys.openpgp.org will strip user ids, and current versions of gnupg won't accept keys without user ids: https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped

Steps to Reproduce

On Tails v4.1.1, run gpg --delete-key 0x46181433FBB75451 ; gpg --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451".

Expected Behavior

amnesia@amnesia:~/Persistent$  gpg --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Actual Behavior

amnesia@amnesia:~/Persistent$ gpg --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
gpg: key 0x46181433FBB75451: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
amnesia@amnesia:~/Persistent$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 28 Feb 2019 04:54:26 PM UTC
gpg:                using DSA key 0x46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Thu 28 Feb 2019 04:54:26 PM UTC
gpg:                using RSA key 0xD94AA3F0EFE21092
gpg: Can't check signature: No public key
amnesia@amnesia:~/Persistent$ gpg --keyserver keys.openpgp.org --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
gpg: key 0x46181433FBB75451: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
amnesia@amnesia:~/Persistent$ gpg --list-keys | grep -A 1 5451
amnesia@amnesia:~/Persistent$ gpg --keyserver pool.sks-keyservers.net --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
gpg: key 0x46181433FBB75451: public key "Ubuntu CD Image Automatic Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
amnesia@amnesia:~/Persistent$ gpg --list-keys | grep -A 1 5451
pub   dsa1024/0x46181433FBB75451 2004-12-30 [SC]
      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
uid                   [ unknown] Ubuntu CD Image Automatic Signing Key <[email protected]>
amnesia@amnesia:~/Persistent$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 28 Feb 2019 04:54:26 PM UTC
gpg:                using DSA key 0x46181433FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
gpg: Signature made Thu 28 Feb 2019 04:54:26 PM UTC
gpg:                using RSA key 0xD94AA3F0EFE21092
gpg: Can't check signature: No public key
amnesia@amnesia:~/Persistent$ cat ~/.gnupg/dirmngr.conf 
use-tor
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

Comments

This also seems to happen on Debian 10.2 with what I think are the default settings.
@rocodes
Copy link
Contributor

rocodes commented Jan 20, 2020

Hi Simon,

The first part is indeed an issue with UIDs and the OpenPGP keyserver. Using another keyserver such as the Ubuntu keyserver (hkps://keyserver.ubuntu.com) is a temporary workaround in this case.

The second part is because you need an additional key to verify the Ubuntu image; according to https://help.ubuntu.com/community/VerifyIsoHowto the key with fingerprint "439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092" is their current public key.

We will update the documentation accordingly for both issues. Thank you for reporting this!

@rocodes rocodes mentioned this issue Jan 20, 2020
Merged
1 task
@rocodes rocodes mentioned this issue Jan 27, 2020
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@simonft @rocodes