1

It says here that there are 5 Master signing keys for the Arch Linux project. It also says that active, trusted developers have their keys signed by one or more of the master keys. And we can see that Pierre Schmitz's personal key is signed by master keys 0x77514E00, 0x7BE9892E and 0x037F4F41.

Now, I imported all of the Arch project master keys including 0x77514E00, 0x7BE9892E and 0x037F4F41 which it is claimed on the Arch website have signed Pierre Schmitz's personal key. enter image description here

I verified the archlinux-x86_64.iso with the archlinux-x86_64.iso.sig. It said it was unverified and to go looking for this key ID

0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C

. Fine. But I just wanted to independently verify that Pierre Schmitz's personal key is in fact signed by the master keys so I can begin doing these verifications intelligently during this and many future tasks.

I listed sigs for Pierre Schmitz key ID: enter image description here Self-signed ok, I guess I need to recv keys?

I ran recv keys on the key ID: enter image description here

I refresh: enter image description here

And I listed keys again for the ID in question: enter image description here

Is this actually not possible? Is it not always or never possible to independently verify that a key was signed by a defined set of master keys? Or where am I making a mistake in this verification procedure?

bluesquare
  • 357
  • 1
  • 7
  • 18
  • 1
    I'm troubled by the "unknown" flag. Perhaps [this post](https://unix.stackexchange.com/questions/639514/unknown-validity-despite-having-signed-the-key-myself) can help? – harrymc May 05 '23 at 18:12
  • @harrymc This may be a major part of my issue(?) but I did not personally certify his key because my whole idea was to first independently verify that his key was indeed signed by those master keys. For sure, when I certify his key with my own key, and I run gpg --list-sigs 0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C then it shows [ full ] instead of [ unknown ]. Looks like thats how it is when you dont personally sign it "Unknown validity means that GnuPG hasn’t calculated the web of trust for that key" – bluesquare May 05 '23 at 18:21

1 Answers1

1

It sounds like your GnuPG installation is configured to strip all non-self signatures from the imported keys, as is the default in all new versions. If you want to retain them, you'll now have to explicitly opt in to that:

$ gpg --keyserver-options no-self-sigs-only --recv-key 3E80CA1A...

This filtering became the default in 2019 as the public keyservers were suddenly flooded with tons of garbage signatures (especially with the old SKS keyserver software accepting even malformed packets that would break GnuPG entirely).

This led to WoT-style signature distribution via keyservers dying off even more than it already had; the SKS-based keyserver pool outright shutting down; with large keyservers switching to different software and often no longer synchronizing with each other. (Some new keyservers such as Hagrid don't even accept non-self signatures at all.)

As a result, Arch Linux in general no longer uses keyservers as its primary key distribution mechanism. Instead, the keys can be retrieved directly from https://archlinux.org via WKD, in the same form as they are distributed through Arch packaging – with other developers' signatures attached, but nothing else:

$ gpg --auto-key-locate clear,wkd --locate-external-key pierre@archlinux.org
$ gpg --list-sigs pierre@archlinux.org
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Oh weird. Is that a security feaure? Like would a professional want or not prefer to include master keys that have signed it? But this is slick, yes now I can see the sigs of the masters!! – bluesquare May 05 '23 at 18:27
  • 1
    It is a security feature, as the second paragraph already says. With traditional keyservers, there is no option for "a professional" to pick and choose which signatures are published together with their key and which aren't. While that was part of the original keyserver design (any of your friends could sign your key and publish that signature), the problem was that nothing stops someone from submitting _millions_ of garbage signatures to be attached to your key and forcing everyone to download them. Hence the move to WKD where keys are published directly by their respective domain owners. – u1686_grawity May 05 '23 at 18:31