What to do at failed integrity check?

Moritz Klammler moritz at klammler.eu
Mon Oct 3 22:44:16 CEST 2016

> gpg: Signature made Do 31 Mär 2016 12:56:02 CEST using RSA key ID 4F25E3B6
> gpg: Can't check signature: public key not found

GnuPG didn't tell you that if found out that the file doesn't match the
signature.  It told you that it wasn't able to check whether it is valid
in the first place because your key-ring doesn't contain the key which
the signature says was used to create it.  Without the public key
(certificate) of the signer, you cannot verify the signature.  You can
import the certificate from a public key-server using this command.

    $ gpg --recv-key 4F25E3B6

Where "4F25E3B6" is the ID reported by the error message (and happens to
belong to Werner Koch).

Of course, when you download the certificate like so, an attacker that
has previously tampered with your internet connection, tricking you into
downloading a compromised version of GnuPG (together with a fake
signature) can potentially trick you again and you cannot be sure that
you've actually downloaded Werner Koch's certificate.  In order to
defend against this, you should check the fingerprint by running

    $ gpg --fingerprint 4F25E3B6
    pub   rsa2048 2011-01-12 [SC] [expires: 2019-12-31]
          D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
    uid           [ unknown] Werner Koch (dist sig)
    sub   rsa2048 2011-01-12 [A] [expires: 2019-12-31]

and checking the output against a trusted source of the fingerprint.
Where you obtain this from, I don't know.  As a minimum, it should match
the fingerprint shown above but of course, that could be tampered with,
too.  (The fingerprint is the hex sequence "D869 2123 C406 5DEA 5E0F
3AB5 249B 39D2 4F25 E3B6".  The other output might differ for legitimate

Alternatively, if you're lucky, you might have participated in enough
key-signings such that GnuPG finds a chain of trust to the key.  As you
can see from the "unknown" in the output shown above, I've not been that
lucky so far.

Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161003/8ac30b41/attachment-0001.sig>

More information about the Gnupg-users mailing list