[nmglug] How to find/import public keys? Or is there another problem?

Anthony J. Bentley anthony at anjbe.name
Wed Jun 12 18:16:20 PDT 2019


Hi Tom,

Tom Ashcraft writes:
> As my resources as an individual seem exhausted, I request assistance 
> from the NMGLUG hive mind re:
>
> tom at tom-HP-Notebook:~$ gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl
> gpg: Signature made Fri 07 Jun 2019 02:48:58 PM MDT
> gpg:                using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D
> gpg: Can't check signature: No public key                             
>                  <----?

To check a PGP signature, GPG needs the public key corresponding to the
private key the signature was made with. GPG maintains a database in
your home folder of all public keys it knows. By default, it knows
none; you must add them manually.

> The following GPG keys will be used to sign the binaries and the git tags:
>
>   * Philipp Hagemeister |7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18|
>   * Sergey M. |ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D|

PGP public keys are uniquely identified by their fingerprints (the
40-character values listed here). These are the public keys you need
to add to GPG.

> $ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C 0679EE98 F09C5B1C

This is one way to add public keys to the GPG database. It contacts
a key server and asks for the three public keys corresponding to the
three fingerprints given.

This example is insecure though. The reason it's insecure is that it
uses 8-character (32-bit) fingerprints as shorthand for the full
40-character fingerprints. Perhaps they were acceptable in the 90s,
but these short fingerprints are easy to bruteforce with the hardware
of 2019. See: https://evil32.com/

To do this securely, then, run the command but with the full 40-character
fingerprints instead:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys \
    'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D' \
    '7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18'

This will import the keys to GPG's database. (You only have to do this
once per public key; next time you check the signature of youtube-dl,
you won't need to reimport the public key.)

Now, the signature verifies correctly:

$ gpg --verify /tmp/youtube-dl.sig /tmp/youtube-dl
gpg: Signature made Fri Jun  7 14:48:58 2019 MDT
gpg:                using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D
gpg: Good signature from "Sergey M. <dstftw at gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED7F 5BF4 6B3B BED8 1C87  368E 2C39 3E0F 18A9 236D

GPG does warn that it has no signature for the key you imported.
PGP practice is to meet people in person, verify that their public keys
belong to them, and sign those keys, and have other people sign your
keys. This is called "Web of Trust". But it's inconvenient to meet
people in person, and easy to get wrong. In this situation, we know
that Sergey's public key is really the one we want, because we got the
fingerprint from a secure source: the HTTPS-protected youtube-dl
homepage. So I am comfortable marking it as a trusted key:

$ gpg --edit-key 'ED7F 5BF4 6B3B BED8 1C87 368E 2C39 3E0F 18A9 236D'
pub  rsa4096/2C393E0F18A9236D
     created: 2016-04-09  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/C3A4FE63297B1CE1
     created: 2016-04-09  expires: never       usage: E   
[ unknown] (1). Sergey M. <dstftw at gmail.com>


gpg> trust
pub  rsa4096/2C393E0F18A9236D
     created: 2016-04-09  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/C3A4FE63297B1CE1
     created: 2016-04-09  expires: never       usage: E   
[ unknown] (1). Sergey M. <dstftw at gmail.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/2C393E0F18A9236D
     created: 2016-04-09  expires: never       usage: SC  
     trust: full          validity: unknown
sub  rsa4096/C3A4FE63297B1CE1
     created: 2016-04-09  expires: never       usage: E   
[ unknown] (1). Sergey M. <dstftw at gmail.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit


Now, GPG finally tells me what I want to know, that the signature is "good".

$ gpg --verify /tmp/youtube-dl.sig /tmp/youtube-dl                     
gpg: Signature made Fri Jun  7 14:48:58 2019 MDT
gpg:                using RSA key ED7F5BF46B3BBED81C87368E2C393E0F18A9236D
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2019-11-01
gpg: Good signature from "Sergey M. <dstftw at gmail.com>" [ultimate]

-- 
Anthony J. Bentley


More information about the nmglug mailing list