71

I am trying to import Github's webflow signing key on a fresh install of Raspbian (Debian) Buster.

 $ gpg2 --recv-keys 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
gpg: key 4AEE18F83AFDEB23: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

I don't understand the error message and am having a hard time finding other users encountering the same error. gpg version:

$ gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/pi/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I'm certain this key has a User ID! (Verified on OSX)

pinhead
  • 813
  • 1
  • 6
  • 5
  • When using `%{gpgverify}` (expands to `/usr/lib/rpm/redhat/gpgverify`, a convenience wrapper around `gpgv2`) during RPM packaging on Fedora/CentOS/RHEL, this leads to the quite misleading error message `gpgv: Can't check signature: Bad public key`, which however originates from exactly the same issue (stripped user ID by keyserver). – rsc Sep 15 '22 at 21:09

1 Answers1

103

You are probably using the keys.openpgp.org keyserver, which has an owner approval system – it will strip all user IDs unless the owner of the corresponding email address has allowed them to be published.

Try to download the key from elsewhere, such as:

  • --keyserver hkps://keyserver.ubuntu.com
  • --keyserver hkps://pgp.surf.nl (ex-SKS pool)
  • --keyserver hkp://pgp.rediris.es (ex-SKS pool)

(Future GnuPG versions will accept keys without an UID, although it won't be terribly useful except for direct fingerprint-based comparison.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 23
    Note that `--keyserver ...` has to be in front of the `--recv-keys ...` flag, else gpg will out with a not helpful error message. – thakis Jun 09 '20 at 00:13
  • 2
    @user1686: re "Future GnuPG versions will accept keys without a UID", is [this feature request](https://dev.gnupg.org/T4393) what you were referring to? Unfortunately it's since been closed as wontfix by a GnuPG maintainer. – chrstphrchvz Aug 27 '20 at 09:58
  • 1
    BTW for Debian, keyserver is `keyring.debian.org` – Matija Nalis Dec 14 '20 at 17:03
  • That's only for Debian Developer keys and won't have most other keys you need. (Meanwhile, the keyserver run by Ubuntu is public.) – u1686_grawity Jun 22 '21 at 07:20
  • hmmm... but the openpgp.org is much safer to use. The normal key distribution net has various of vulnerabilities and we suffered from it before. and unfortunately, the pr is terminated since the other key servers afraid of losing "authority power" over key publication. https://dev.gnupg.org/T4393 – Wang Aug 02 '23 at 11:00