GPG can't check signature

Question

I was trying to recompile and rebuild libevent2 source from oneiric on my natty server and I had a small error with gpg not being able to check signature

# dpkg-source -x libevent_2.0.12-stable-1.dsc
gpgv: Signature made Fri Jun 17 07:12:50 2011 PDT using DSA key ID 7ADF9466
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./libevent_2.0.12-stable-1.dsc

Any idea how to fix this warning?

ændrük · Answer 1 · 2014-05-05T22:18:40.843

12

I believe the conventional solution is to install the GnuPG keys of Debian Developers package:

sudo apt-get install debian-keyring

edited May 05 '14 at 22:18

answered Jul 05 '13 at 19:59

ændrük

75,636
74
233
365

Yes, the gpg commands suggested here by @enzotib and @Flint did not work for me on Ubuntu 14.04, at least for enabling validation when running `apt-get source`. But installing the `debian-keyring` package worked, as @ændrük suggests. – fjarlq May 05 '14 at 18:54

score 11 · Accepted Answer · edited Jul 18 '17 at 13:44

11

First of all, you should import the key to local keyring as @enzotib instructed:

gpg --keyserver keyserver.ubuntu.com --recv-keys 7ADF9466

Then export the key to your local trustedkeys to make it trusted:

gpg --no-default-keyring -a --export 7ADF9466 | gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import -

edited Jul 18 '17 at 13:44

tshepang

1,937
3
20
35

answered Oct 10 '12 at 03:53

Flint

3,121
5
27
50

This works in Ubuntu 16.04 where `~/.gnupg/trustedkeys.gpg` did not exist. – Stéphane Gourichon Jun 12 '17 at 17:04

score 6 · Answer 3 · answered Aug 12 '11 at 15:58

6

You should import the key to local keyring with the following command:

gpg --keyserver keyserver.ubuntu.com --recv-keys 7ADF9466

Then, try again the command.

answered Aug 12 '11 at 15:58

enzotib

92,255
11
164
178

1

Thanks but it still failed to verify the signature – Flint Aug 12 '11 at 16:56
2

@Flint: you are running as root, so also this command should be run as root, to go to root keyring. Have you done so? – enzotib Aug 12 '11 at 17:16
6

Are there any official sources documenting that this approach is secure? How could I know that `7ADF9466` is indeed the correct signing key if it does not exist in the keyring package? What prevents a man in the middle from serving a `dsc` file signed with a different key (possibly even a different key with the same 32 bit hash). – kasperd Aug 10 '14 at 19:35

GPG can't check signature

3 Answers3

Linked

Related