--auto-key-retrieve fails for some keys

Tadeus Prastowo 0x66726565 at gmail.com
Tue Nov 2 17:01:18 CET 2021


On Tue, Nov 2, 2021 at 4:05 PM Tadeus Prastowo <0x66726565 at gmail.com> wrote:
>
> Hello,
>
> The signature on a Linux kernel can be verified successfully using
> `--auto-key-retrieve', but the signature on an Emacs cannot be
> verified in the same manner because gpg is unable to retrieve the
> needed public key automatically.
>
> The GPG version is 2.2.19 (libgcrypt 1.8.5, if that matters) as
> shipped by Ubuntu 20.04.3.  I manage to locate only one post in the
> GnuPG mailing list archive with respect to this `--auto-key-retrieve'
> failure.  But, as far as I can see it, the post has no response.

The post in question is
https://lists.gnupg.org/pipermail/gnupg-users/2019-October/062940.html

> Perhaps one of you can reproduce the problem by the following steps?
>
> 1. Test using Linux kernel.
> wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz
> https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign
> unxz < linux-5.11.tar.xz | gpg --keyserver
> hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify
> linux-5.11.tar.sign -
>
> The output of the last command is as follows:
> gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
> gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
> gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
> gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman
> <gregkh at linuxfoundation.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: Good signature from "Greg Kroah-Hartman
> <gregkh at linuxfoundation.org>" [unknown]
> gpg:                 aka "Greg Kroah-Hartman <gregkh at kernel.org>" [unknown]
> gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable
> release signing key) <greg at kroah.com>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
>
> 2. Test using Emacs.
> wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
> http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
> cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
> --auto-key-retrieve --verify emacs-27.2.tar.xz.sig -
>
> The output of the last command is as follows:
> gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
> gpg:                using RSA key 91C1262F01EB8D39
> gpg: Can't check signature: No public key
>
> The key 0x91C1262F01EB8D39, however, can be retrieved manually just
> fine as shown below:
> gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 0x91C1262F01EB8D39
> gpg: key 91C1262F01EB8D39: public key "Eli Zaretskii (eliz)
> <eliz at gnu.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
>
> Any idea why the --auto-key-retrieve feature fails for some keys?
>
> Thank you.
>
> --
> Best regards,
> Tadeus



More information about the Gnupg-users mailing list