> From: Brooke Kuhlmann > Sent: Sunday, January 24, 2021 11:49 AM > > Hello, I'm trying to figure out how to obtain the public key used to > encrypt Do you mean sign? > the Git file > downloads. I put together a gist that explains the problem and question in detail here: > > https://gist.github.com/bkuhlmann/684b74d25d83d52df8d0caeb6219aa15 Please don’t post links to questions, pasting your content inline here: > Problem > When attempting to download a Git version, it would be nice to verify the signature of the download by running the following: > > curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.gz > curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.sign > gpg --verify git-2.30.0.tar.sign git-2.30.0.tar.gz > Only problem is that the last line of the above throws the following error: > > gpg: Signature made Sun Dec 27 23:12:30 2020 MST > gpg: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB > gpg: Can't check signature: No public key > I tried using the following solutions to no avail: $ gpg --recv-keys 96AFE6CB gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net gpg: key 713660A7: "Junio C Hamano <gitster@xxxxxxxxx>" 59 new signatures gpg: key 713660A7: "Junio C Hamano <gitster@xxxxxxxxx>" 2 new subkeys gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: new subkeys: 2 gpg: new signatures: 59 $ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT gpg: using subkey 96AFE6CB instead of primary key 713660A7 gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT gpg: using PGP trust model gpg: BAD signature from "Junio C Hamano <gitster@xxxxxxxxx>" gpg: binary signature, digest algorithm SHA256 $ gpg --list-keys -v 96AFE6CB gpg: using PGP trust model gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT pub 4096R/713660A7 2011-10-01 uid Junio C Hamano <gitster@xxxxxxxxx> uid Junio C Hamano <junio@xxxxxxxxx> uid Junio C Hamano <jch@xxxxxxxxxx> sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26] sub 4096R/833262C4 2011-10-01 sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26] It is possible that Junio forgot to push his refreshed public key. > > gpg --locate-keys torvalds@xxxxxxxxxx gregkh@xxxxxxxxxx committer@xxxxxxxxxxx discord@xxxxxxxxxxx gitster@xxxxxxxxx > gpg --import <file> # <= Need a file to import but where does one obtain the public key? > I also tried importing only the public keys from the Git repository via the following files without any luck either: > > t/lib-gpg/keyring.gpg > contrib/credential/netrc/test.git-config-gpg > contrib/credential/netrc/test.netrc.gpg > contrib/credential/netrc/test.command-option-gpg > Question > How does one figure out how to obtain the public keys for which the Git downloads were signed? > > If anyone has any advice on how to make this possible, it would be greatly appreciated. > > Thanks, > Brooke >
