[lug] apt-get: There is no public key available for the following key IDs
Jed S. Baer
blug at jbaer.cotse.net
Wed Nov 16 19:01:54 MST 2016
On Wed, 16 Nov 2016 18:14:11 -0700
Tyler Cipriani wrote:
> On 16-11-16 16:00:17, Jed S. Baer wrote:
> >I just did an apt-get update, got the usual lines of output, then at
> >the bottom:
> >Fetched 4,528 kB in 14s (319
> >kB/s) Reading package lists... Done
> >W: There is no public key available for the following key IDs:
> That key is evidently the new Ubuntzilla signing key. Found via:
> gpg --search-keys B7B9C16F2667CA5C
> (1) Daniel Folkinshteyn (Ubuntuzilla signing key)
> You can see it at pgp.mit.edu (or any keyserver, that one's just got
> an easy URL to remember).
The 1st thing I tried was a web interface search - wasn't MIT, I think I
used OpenPGP, but maybe I forgot to 0x prefix it but I didn't find it. Not
sure why I didn't think of trying the gpg command line though - thanks.
However, at https://sourceforge.net/p/ubuntuzilla/wiki/Main_Page/
it list the key ID as C1289A29. I suppose that's just a documentation
failure. pgp.mit.edu shows it as having been revoked.
> >The various sites which come up just indicate downloading and
> >installing the new key, but don't have much to say about how to
> >determine if there's a genuine security issue.
> >Any thoughts?
> This is big medicine, and I'm not ashamed to say that I'm not too good
> with gpg (becuase it's a bear). If anyone on this list cares to correct
> my form, please do! Caveat emptor: I'm probably doing it wrong.
> Here's how I would try to verify this key.
> First, I assume that I, at some point, had the old signing key in my apt
> keyring, so I would probably start by importing those keys in a new
> mkdir /tmp/keys
> sudo apt-key exportall | gpg --homedir /tmp/keys --import
I did the equivalent, except I used gpa, and apt-key export KEYID. Seems
So, he self-signed his new key, and also signed it with his old key. The
old key has 2 signatures besides his self-sign, not himself. I don't know
how much this helps me, as I could go on for a long time looking up keys
and sigs. :)
> If I saw that I had more than just the self-sig from this key when I
> checked the key's signatures, I'd probably accept its authenticity.
> == Rationale ==
> If the old key is in my apt keyring -- which it must be for this to have
> worked at some point (the old key is probably c1289a29), and I
> trust *that* key, then I should be able to verify the signature on the
> new key with the old public key that is in my keyring.
> I think it's questionable whether or not that means I "trust" this new
> key, but I trust it as much as I trust that my current system isn't
> compromised, I guess.
The whole 'web of trust' thing doesn't seem to help much here. But you're
right -- when it comes to repository keys, we just trust Ubuntu, or Mint,
or whomever the packager is. And when adding a ppa, IIRC there's a
command to add the key, and I just followed the instructions for that
from the Sourceforge site.
More information about the LUG