You are not logged in.
- Topics: Active | Unanswered
#1 2024-09-25 23:08:10
- TheMohawkNinja
- Member
- Registered: 2017-07-11
- Posts: 44
Carl Smedstad PGP does not match gpg results
Hello,
Per the recent CVSS 9.9 vuln that got released, I am in the process of upgrading my Arch box, however I am a bit concerned.
I am being asked to import the PGP key that is allegedly for Carl Smedstad, however the key provided by pacman does not match the key as presented by gpg.
Per: pacman -Syyu
:: Import PGP key F05E8C12131AEB5E, "Carl Smedstad <carsme@archlinux.org>"? [Y/n]Per: gpg --auto-key-locate wkd --search-keys carsme@archlinux.org
gpg: data source: https://185.125.188.27:443
(1) Carl Smedstad <carsme@archlinux.org>
263 bit EDDSA key 3D309011083BA25E, created: 2024-04-01
Keys 1-1 of 1 for "carsme@archlinux.org". Enter number(s), N)ext, or Q)uit > nI am probably just being overly paranoid and missing something, but in the past I have always been able to successfully verify PGP keys.
If anyone can either confirm this is an issue or point out what I am doing wrong, that would be great!
Thank you,
Offline
#2 2024-09-25 23:15:58
- gromit
- Package Maintainer (PM)
- From: Germany
- Registered: 2024-02-10
- Posts: 784
- Website
Re: Carl Smedstad PGP does not match gpg results
Your keyring issue would be probably fixed by: pacman -Sy archlinux-keyring && pacman -Su
Offline
#3 2024-09-25 23:31:06
- TheMohawkNinja
- Member
- Registered: 2017-07-11
- Posts: 44
Re: Carl Smedstad PGP does not match gpg results
Your keyring issue would be probably fixed by: pacman -Sy archlinux-keyring && pacman -Su
Maybe I am misunderstanding how the keyring works, but if pacman -Syyu is asking me to import a key, then that implies it is downloading the key from an Internet resource. Likewise, if gpg gives a data source that is a public IP, it too at least appears to be coming from an Internet resource, so why would running a command to update my local keyring resolve this issue? Wouldn't updating the local keyring pull in the PGP key that gpg returns, thus still causing a mismatch between the to-be-imported PGP key from the system upgrade and my keyring?
I did run the command you suggested, and it did allow my system to update, I just don't understand why that fixed it.
Thank you,
Offline
#4 2024-09-26 00:02:11
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,213
Re: Carl Smedstad PGP does not match gpg results
Because the keyring package that you had was too old and didn't include the key in question. By updating that package, you get the latest keys without having to fetch them via wkd
You were getting confused on verifying it because it gave the fingerprint of the signing subkey, but you only displayed the fingerprint of the main key when checking it. There is no mismatch.
Offline
#5 2024-09-26 00:58:42
- TheMohawkNinja
- Member
- Registered: 2017-07-11
- Posts: 44
Re: Carl Smedstad PGP does not match gpg results
Because the keyring package that you had was too old and didn't include the key in question. By updating that package, you get the latest keys without having to fetch them via wkd
You were getting confused on verifying it because it gave the fingerprint of the signing subkey, but you only displayed the fingerprint of the main key when checking it. There is no mismatch.
That would certainly explain the mismatch. Moving forward, what would be the appropriate way to check the signing subkey if gpg displays the main key?
Thank you,
Offline
#6 2024-09-26 07:43:28
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,073
Re: Carl Smedstad PGP does not match gpg results
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Offline
#7 2024-10-06 11:14:30
- bee
- Member
- Registered: 2024-10-06
- Posts: 1
Re: Carl Smedstad PGP does not match gpg results
That would certainly explain the mismatch. Moving forward, what would be the appropriate way to check the signing subkey if gpg displays the main key?
You can tell gpg to show subkey fingerprints by adding "--with-subkey-fingerprint" to a command. E.g. "gpg --with-subkey-fingerprint -k".
If you would like gpg to always show the subkey fingerprints, add a line with only "with-subkey-fingerprint" in it to your gpg.conf.
Offline