-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Oct 2, 2020 at 9:04 PM Thien-Thi Nguyen <ttn@xxxxxxxxxxx> wrote: > I am having problems verifying the 2.69c release of GNU Autoconf: > > | $ gpg -k Zack > | Portachiavi: /home/ttn/.gnupg/pubring.kbx > | ----------------------------------------- > | pub ed25519 2018-07-23 [SC] > | BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 > | uid [ unknown] Zack Weinberg (code signing / moxana) <zackw@xxxxxxxxx> > | > | $ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz > | gpg: Signature made gio 24 set 2020 13:22:49 EDT > | gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64 > | gpg: Impossibile controllare la firma: No public key > > The exit value of the second command is 2 (non-zero). This is partially my fault for being slightly too clever with my PGP keys, and partially fallout from the keyserver spamming debacle last year ( https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f ). Both of the keys whose fingerprints are mentioned above are mine. $ gpg --list-secret-keys /home/zack/.gnupg/pubring.gpg - ----------------------------- sec rsa4096 2010-01-14 [SC] 82F854F3CE73174B8B63174091FCC32B6769AA64 uid [ultimate] Zack Weinberg <zackw@xxxxxxxxx> ssb rsa4096 2010-01-14 [E] sec ed25519 2018-07-23 [SC] BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 uid [ full ] Zack Weinberg (code signing / moxana) <zackw@xxxxxxxxx> Key 82F854F3CE73174B8B63174091FCC32B6769AA64 is the one I use for signing email, and the one that I've gotten signed by people in the web of trust. It is _supposed_ to be the one you get from the PGP keyservers if you ask them for the key associated with zackw@xxxxxxxxx. Since it's in the web of trust, it's the key I used to sign the 2.69c release. Key BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 is exclusively used for signing Git commit records. (For instance, you'll see it show up if you do `git verify-tag v2.69c` in a current Autoconf source tree.) It's not a subkey because there's two more of those, one for each computer on which I regularly do development work. They're not in the web of trust except for being signed by 82F854F3CE73174B8B63174091FCC32B6769AA64. I uploaded those keys to the keyservers as well, so that people could easily validate the signatures on my commit records, but I thought I had arranged things so that they wouldn't take precedence over ...AA64 in searches by email address. It seems I was wrong: $ gpg --auto-key-locate keyserver --locate-keys zackw@xxxxxxxxx pub ed25519 2018-07-23 [SC] BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 uid [ full ] Zack Weinberg (code signing / moxana) <zackw@xxxxxxxxx> I presume this is how Thien-Thi got the wrong key. I'll see what I can do to get the keyservers to report the correct key for zackw@xxxxxxxxx, but I can't promise I'll get anywhere. However, if you use this procedure to validate the autoconf release tarball it should succeed: $ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz gpg: Signature made Thu Sep 24 13:22:49 2020 EDT gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64 gpg: Can't check signature: No public key $ gpg --recv-keys 82F854F3CE73174B8B63174091FCC32B6769AA64 gpg: key 91FCC32B6769AA64: 19 signatures not checked due to missing keys gpg: key 91FCC32B6769AA64: public key "Zack Weinberg <zackw@xxxxxxxxx>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found $ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz gpg: Signature made Thu Sep 24 13:22:49 2020 EDT gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64 gpg: Good signature from "Zack Weinberg <zackw@xxxxxxxxx>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 82F8 54F3 CE73 174B 8B63 1740 91FC C32B 6769 AA64 $ gpg --list-signatures 82F854F3CE73174B8B63174091FCC32B6769AA64 pub rsa4096 2010-01-14 [SC] 82F854F3CE73174B8B63174091FCC32B6769AA64 uid [ unknown] Zack Weinberg <zackw@xxxxxxxxx> sig 3 91FCC32B6769AA64 2010-01-14 Zack Weinberg <zackw@xxxxxxxxx> sig 51C63320797DC75F 2010-01-14 [User ID not found] sig CB32A10788C3A5A5 2010-07-08 [User ID not found] sig 217EB4E522FEB115 2010-07-08 [User ID not found] sig 89300BD258E24182 2010-07-11 [User ID not found] sig 025AB0106B17EA1E 2012-02-14 [User ID not found] sig C218525819F78451 2012-05-31 [User ID not found] sig 9FEE347FAC800B19 2010-07-09 [User ID not found] sig 6D10531CE3C79D19 2010-07-12 [User ID not found] sig 1B077D375BA4BDF1 2010-07-13 [User ID not found] sig AB98288E36D33D07 2010-08-11 [User ID not found] sig 180F6A5B3EDE742E 2010-07-08 [User ID not found] sig 3 29AA2852333E7C23 2012-06-01 [User ID not found] sig 2 DE7AAF6E94C09C7F 2012-07-22 [User ID not found] sig 4814DEC22B307C3C 2012-07-05 [User ID not found] sig 5DAFEFEA7D3BCF23 2012-10-04 [User ID not found] sig F91E0FEC77026956 2012-07-07 [User ID not found] sig 0DDC5745378C39EB 2013-10-14 [User ID not found] sig 2 381BEC5EA8D6F5EC 2013-09-23 [User ID not found] sig 242C3E04F018A7C2 2013-10-21 [User ID not found] sub rsa4096 2010-01-14 [E] sig 91FCC32B6769AA64 2010-01-14 Zack Weinberg <zackw@xxxxxxxxx> And you can then proceed to check the identities associated with those signatures in the usual way. As a further cross-check, the full fingerprint for key ..AA64 can be found on my website at https://www.owlfolio.org/contact/, as well as a link to where the key can be downloaded directly. This message is signed with *both* of the keys discussed above. zw -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEgvhU885zF0uLYxdAkfzDK2dpqmQFAl959poACgkQkfzDK2dp qmSe0Q//S6xfJ+EgoskWduCsunQckcBPw2abDsyq3qiCN7mPcSuC/yfqYoNtmlYE Js0T2LmIDQdpQBYzONk6rURf03PHqG2ZVTWEU16T2IRfY8HuSvhfXHqZkY1cZjQQ KPH9PgxXL2kI0jzWWm5nBUo88fxSseAhCZ3gn0kRVl7cQeFVWAQ0T9gNx5kih9LY ZQEnU7N32LpqNjvNhgFfSVYbSoTQjl2Yohb38/b3FLVok5KraNkBVZSsJ6/4+hwn AeXp2Y5tOlwapdDxNMyLJEibVaCMESgFZrm60UmTMoO1rRzHzy7W/qtP8oCcqBoB K8Jqan1RsGlSgHXd+Jko/tihbUuLB+wIzM0yw46WtfjIYCWDxRzCl92Nctfc/qfa 21lsZu0a9TRlgHjP0GuE9HwTmtG0CufyGRDPgGCM9xaD1A0VtnOuybA0APOTTdb8 IiCR4RYllWt9T1A17r45bgVShGTEWPeAjAIiObvSTSr+YRMsIomW4ZJo/lnG0HzN hDnGd/qh5BFGNXl4XE/zcu1S5AqSPQBcqKupk0T4Vve/pnTRq0NbZQgLzSsw/isw Uv6IW4f+yelz9jNqmvX756rncyPxSg9OWGOYEeeEsnBR9WmWPJejWBe7dx15+RMe GpABq5WvzR35FErZjHwz6qfjG6EJgtVqAZ3tjeeDd9xdjeNXDjqIdQQBFggAHRYh BL8Va4Pk1a0GrzoMLDhPjmisZbDVBQJfefaaAAoJEDhPjmisZbDVcEYBAIoV/WcA ZObGDPjSfJe1c6lrjaPOpOkFAUp51x6gOC1DAQCyoL//WJcLT95iGQ+MHVJoRYGl IlhW3qKqFphWy5YfCA== =zvg1 -----END PGP SIGNATURE-----
