[SOLVED] Cannot Verify ISO GPG Says No Public Key

highfrequencyhertz · 2021-05-31 02:30:35

I downloaded the latest arch iso and the latest iso.sig. I got the signature from the downloads page and the iso file from one of the worldwide http mirrors. I follow the documentation and it told me to run this command:

gpg --keyserver-options auto-key-retrieve --verify archlinux-2021.05.01-x86_64.iso.sig

When I run it it gives me this output:

gpg: assuming signed data in 'archlinux-2021.05.01-x86_64.iso'
gpg: Signature made Fri 30 Apr 2021 10:24:14 PM PDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: key 7F2D434B9741E8AC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
gpg: Can't check signature: No public key

I am running this in my Downloads directory, where the iso and signature are both located. From my understanding the --keyserver-options auto-key-retrieve should tell GPG to automatically download the public key from the keyserver to verify the iso, but I don't know why it is not doing this? My theory is that gpg needs a uid, which is missing, which is why is says skipped, so maybe this is not an error on my part, but I doubt it. I would love to hear everyone's advice. Thanks!

Last edited by highfrequencyhertz (2021-09-21 04:21:07)

seth · 2021-05-31 06:24:30

Try

gpg --keyserver hkps://hkps.pool.sks-keyservers.net:443 …

or

gpg --keyserver hkps://keyserver.ubuntu.com …

highfrequencyhertz · 2021-05-31 18:29:22

I ran the command with the modifications like this:

gpg --keyserver hkps://hkps.pool.sks-keyservers.net:443 --verify archlinux-2021.05.01-x86_64.iso.sig

and still received this output:

gpg: assuming signed data in 'archlinux-2021.05.01-x86_64.iso'
gpg: Signature made Fri 30 Apr 2021 10:24:14 PM PDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Can't check signature: No public key

I try the second one with exactly the same result.

loqs · 2021-05-31 19:10:52

gpg --keyserver hkps://hkps.pool.sks-keyservers.net:443 --search-keys 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC

Does that find a key with userID? If not try `killall dirmngr`.
After manually importing the key the ISO should verify. If you want to remove the key afterwards you can use `gpg --delete-keys 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC`

highfrequencyhertz · 2021-05-31 19:49:51

It gives me this output:

gpg: error searching keyserver: No name
gpg: keyserver search failed: No name

loqs · 2021-05-31 19:55:02

What if you switch to the Ubuntu keyserver:

killall dirmngr
gpg -- keyserver hkps://keyserver.ubuntu.com --search-keys 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC

seth · 2021-05-31 19:57:07

Sanity check:

ping hkps.pool.sks-keyservers.net

?

loqs · 2021-05-31 19:58:44

I assumed the hkps.pool.sks-keyservers.net pool was still effectively dead.

progandy · 2021-05-31 19:58:46

https://sks-keyservers.net/ wrote:

This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.

Most likely the hkps certificate is not valid anymore. You could try the unencrypted pool.

gpg --keyserver hkp://pool.sks-keyservers.net --search-keys 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC

https://lists.nongnu.org/archive/html/s … 00016.html

Last edited by progandy (2021-05-31 20:20:51)

seth · 2021-05-31 20:01:50

loqs wrote:

I assumed the hkps.pool.sks-keyservers.net pool was still effectively dead.

Worksforme™, but the output he gets means "there's no keyserver at that address" - could be IPv6 or there's no network/route at all…

Edit: 42F98DA59741E8AC is retracted but 7F2D434B9741E8AC is still listed good.
Edit #2: "gpg --keyserver hkp://pool.sks-keyservers.net:443 --search-keys 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC" is "gpg: key "4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC" not found on keyserver" (nothing for pierre and iirc

@highfrequencyhertz if you can resolve hkps.pool.sks-keyservers.net, see https://stackoverflow.com/questions/672 … o-hkp-pool

Last edited by seth (2021-05-31 20:08:52)

highfrequencyhertz · 2021-05-31 20:17:55

I don't really know what you mean. Sorry, I don't know much about networking.

seth · 2021-05-31 20:18:52

Can you ping the server? What's the output of #7?

highfrequencyhertz · 2021-05-31 21:06:43

It gets stuck at

PING hkps.pool.sks-keyservers.net (209.244.105.201) 56(84) bytes of data.

When I do ctrl+c I get

--- hkps.pool.sks-keyservers.net ping statistics ---
47 packets transmitted, 0 received, 100% packet loss, time 47111ms

Also, I don't know if this changes anything, but I am on Ubuntu.

Last edited by highfrequencyhertz (2021-05-31 21:09:07)

seth · 2021-05-31 21:10:03

So the server is resolved by ping (it actually doesn't seem to respond to ICMP requests)
Check the ubuntu keyserver and the link I posted in #10 to make dirmgr use the stadard resolver

highfrequencyhertz · 2021-05-31 21:14:55

I get this

gpg: assuming signed data in 'archlinux-2021.05.01-x86_64.iso'
gpg: Signature made Fri 30 Apr 2021 10:24:14 PM PDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
dirmngr[32424.5]: handler for fd 5 started
dirmngr[32424.5]: DBG: chan_5 -> # Home: /home/kai/.gnupg
dirmngr[32424.5]: DBG: chan_5 -> # Config: [none]
dirmngr[32424.5]: DBG: chan_5 -> OK Dirmngr 2.2.19 at your service
dirmngr[32424.5]: connection from process 32473 (1000:1000)
dirmngr[32424.5]: DBG: chan_5 <- GETINFO version
dirmngr[32424.5]: DBG: chan_5 -> D 2.2.19
dirmngr[32424.5]: DBG: chan_5 -> OK
dirmngr[32424.5]: DBG: chan_5 <- KEYSERVER
dirmngr[32424.5]: DBG: chan_5 -> S KEYSERVER hkps://keys.openpgp.org
dirmngr[32424.5]: DBG: chan_5 -> OK
dirmngr[32424.5]: DBG: chan_5 <- KS_GET --quick -- 0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
dirmngr[32424.5]: DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records
dirmngr[32424.5]: DBG: dns: resolve_dns_name(keys.openpgp.org): Success
dirmngr[32424.5]: resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
dirmngr[32424.5]: resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
dirmngr[32424.5]: number of system provided CAs: 129
dirmngr[32424.5]: DBG: Using TLS library: GNUTLS 3.6.13
dirmngr[32424.5]: DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443
dirmngr[32424.5]: DBG: dns: resolve_dns_name(keys.openpgp.org): Success
dirmngr[32424.5]: DBG: http.c:1902:socket_new: object 0x00007f1ab02d9910 for fd 6 created
dirmngr[32424.5]: DBG: http.c:request:
dirmngr[32424.5]: DBG: >> GET /pks/lookup?op=get&options=mr&search=0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC HTTP/1.0\r\n
dirmngr[32424.5]: DBG: >> Host: keys.openpgp.org\r\n
dirmngr[32424.5]: DBG: http.c:request-header:
dirmngr[32424.5]: DBG: >> \r\n
dirmngr[32424.5]: DBG: chan_5 -> S PROGRESS tick ? 0 0
dirmngr[32424.5]: DBG: http.c:response:
dirmngr[32424.5]: DBG: >> HTTP/1.1 200 OK\r\n
dirmngr[32424.5]: http.c:RESP: 'Server: nginx/1.14.2'
dirmngr[32424.5]: http.c:RESP: 'Date: Mon, 31 May 2021 21:14:07 GMT'
dirmngr[32424.5]: http.c:RESP: 'Content-Type: application/pgp-keys'
dirmngr[32424.5]: http.c:RESP: 'Content-Length: 1241'
dirmngr[32424.5]: http.c:RESP: 'Last-Modified: Tue, 27 Apr 2021 14:46:42 GMT'
dirmngr[32424.5]: http.c:RESP: 'Connection: close'
dirmngr[32424.5]: http.c:RESP: 'Content-Disposition: attachment; filename="4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC.asc"'
dirmngr[32424.5]: http.c:RESP: 'Access-Control-Allow-Origin: *'
dirmngr[32424.5]: http.c:RESP: 'Cache-Control: no-cache'
dirmngr[32424.5]: http.c:RESP: 'Accept-Ranges: bytes'
dirmngr[32424.5]: http.c:RESP: ''
dirmngr[32424.5]: DBG: chan_5 -> S SOURCE https://keys.openpgp.org:443
dirmngr[32424.5]: DBG: (1241 bytes sent via D lines not shown)
dirmngr[32424.5]: DBG: chan_5 -> OK
gpg: key 7F2D434B9741E8AC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
gpg: Can't check signature: No public key
dirmngr[32424.5]: DBG: chan_5 <- BYE
dirmngr[32424.5]: DBG: chan_5 -> OK closing connection
dirmngr[32424.5]: handler for fd 5 terminated

seth · 2021-05-31 21:19:48

Please use code tags, not quote tags.
You get that for what?
You're supposed to restart dirmgr w/ the standard resolver and then check the key/sig w/ hkps://hkps.pool.sks-keyservers.net:443 or hkps://keyserver.ubuntu.com - not keys.openpgp.org; we know that and why that fails.

highfrequencyhertz · 2021-05-31 21:26:30

I checked it like this after restarting dmgir

gpg --keyserver hkps://keyserver.ubuntu.com --verify archlinux-2021.05.01-x86_64.iso.sig

and I got

gpg: assuming signed data in 'archlinux-2021.05.01-x86_64.iso'
gpg: Signature made Fri 30 Apr 2021 10:24:14 PM PDT
gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Can't check signature: No public key

loqs · 2021-05-31 21:29:27

gpg --keyserver-options auto-key-retrieve --keyserver hkps://keyserver.ubuntu.com --verify archlinux-2021.05.01-x86_64.iso.sig

highfrequencyhertz · 2021-05-31 21:47:58

This works. Why is this not in the wiki?

highfrequencyhertz · 2021-05-31 22:09:22

@seth
After killing and restarting dirmngr I restarted my computer and the wifi is broken, what do I do?

seth · 2021-06-01 05:43:22

Just restarting dirmgr won't impact your wifi at all, nor otherwise harm your "internet" - this is coincidental.

Why is this not in the wiki?

* Your struggles w/ connecting/using hkps.pool.sks-keyservers.net seem to be a local phenomenon, maybe related to your network problems.
* The openpgp keyserver situation is a mess, https://keys.openpgp.org/about/faq#older-gnupg
* I guess the repo gnupg should™ default to a different keyserver (despite the security concerns) or incorporate the rejected patch because if this - but that doesn't help you on ubuntu either. You need a functional keyserver on your system.
Edit, I kinda susected that anyway… https://bugs.archlinux.org/task/68626
* There're alternative ways mentioned in the wiki to check the integrity of the iso.

Last edited by seth (2021-06-01 05:56:30)

highfrequencyhertz · 2021-06-01 17:35:57

Thanks for the help. I managed to verify the integrity by manually downloading the public key and importing it to GPG. I am going to try auto retrieving the key on a different network because mine can be very wacky.

Arch Linux

#1 2021-05-31 02:30:35

[SOLVED] Cannot Verify ISO GPG Says No Public Key

#2 2021-05-31 06:24:30

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#3 2021-05-31 18:29:22

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#4 2021-05-31 19:10:52

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#5 2021-05-31 19:49:51

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#6 2021-05-31 19:55:02

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#7 2021-05-31 19:57:07

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#8 2021-05-31 19:58:44

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#9 2021-05-31 19:58:46

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#10 2021-05-31 20:01:50

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#11 2021-05-31 20:17:55

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#12 2021-05-31 20:18:52

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#13 2021-05-31 21:06:43

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#14 2021-05-31 21:10:03

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#15 2021-05-31 21:14:55

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#16 2021-05-31 21:19:48

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#17 2021-05-31 21:26:30

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#18 2021-05-31 21:29:27

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#19 2021-05-31 21:47:58

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#20 2021-05-31 22:09:22

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#21 2021-06-01 05:43:22

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

#22 2021-06-01 17:35:57

Re: [SOLVED] Cannot Verify ISO GPG Says No Public Key

Board footer