6

I am trying to figure out how to do the following in one command.

I have an ISO image along with its signature file *.sig. I tried to verify it via GnuPG 2 but it reported a missing public key giving me its fingerprint. I have successfully retrieved a key using the following

gpg2 --keyserver hkp://keys.gnupg.net --recv-key <fingerprint>

but when I checked the key

gpg2 --edit-key <KEY ID>

followed by

gpg> check

I have got this message:

27 signatures not checked due to missing keys

How can I retrieve all these keys to check that the key I have got is trusted?

Jens Erat
  • 17,507
  • 14
  • 61
  • 74
Celdor
  • 682
  • 1
  • 6
  • 14
  • 2
    I found a workaround using shell: `gpg2 --list-sigs | grep "ID not found" | cut -c 14-29 | xargs --interactive gpg2 --keyserver hkp://keys.gnupg.net --recv-key' but I am still interested in `gpg2` if it exists. You know relying on number of characters in output is not the best approach – Celdor May 27 '17 at 11:07
  • It turns out I need to `cut` with `14-31` instead of `14-29` – Lucius Hu May 28 '19 at 02:54

1 Answers1

4

You're not missing keys for the ISO's signature, but keys which issued certifications on the key that signed the image.

GnuPG does not recursively download other keys, you will have to do this on your own (for example, by running a command line like the one you proposed in the comments). But be aware that the certificates provided by other keys do not already assert the key's valid, it is very easy to generate whole networks of keys that even mimic the real OpenPGP web of trust like performed in the Evil 32 attack. If you want to validate some key by checking certifications, always build a trust path that ends at your own key (or some other key you verified through another medium, for example by meeting the person).

Jens Erat
  • 17,507
  • 14
  • 61
  • 74
  • Thanks for your answer. I feel like I need to go and read the whole manual. This is quite confusing; I know I can trust a key myself. Also, I still don't know if trust and validation is the same. I know I can sign a key. I read keys can be valid if certain conditions match, e.g. a key can be signed by one of the keys I fully trust. I don't understand what "issue certifications" mean! Is it the same as signing keys? Thanks – Celdor May 28 '17 at 22:41