GPG Public Keys to verify Release.gpg

Ralf Mardorf kde.lists at yahoo.com
Fri May 22 06:59:54 UTC 2020 

On Wed, 20 May 2020 15:03:47 +0000, Maximilian Kolb wrote:
>My understanding is that Ubuntu signs the 'Release' file and puts the
>signature into 'Release.gpg' which can be verified with the correct
>public key. This is what I'm missing.

What do you gain by using gpg to verify it? Keys imported by a
keyring package or manually via apt-key are automatically used by apt.

However, if you insist in using gpg to gain absolutely nothing, then
just import the missing key or keys mentioned by the output you get,
when "gpg --verify Release.gpg Release" can't check the signatures.

[rocketmouse at archlinux tmp]$ wget -q http://security.ubuntu.com/ubuntu/dists/xenial-security/Release{,.gpg}
[rocketmouse at archlinux tmp]$ gpg --verify Release.gpg Release
gpg: Signature made Fri 22 May 2020 06:51:01 CEST
gpg:                using DSA key 40976EAF437D05B5
gpg: Can't check signature: No public key
gpg: Signature made Fri 22 May 2020 06:51:01 CEST
gpg:                using RSA key 3B4FE6ACC0B21F32
gpg: Can't check signature: No public key

The required Ubuntu keys aren't available on my Arch Linux install,
but gpg returns short fingerprints. One solution would be to copy
and paste the fingerprints to retrieve the keys. and after that to
verify again.

[rocketmouse at archlinux tmp]$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 40976EAF437D05B5 3B4FE6ACC0B21F32
gpg: key 3B4FE6ACC0B21F32: 21 signatures not checked due to missing keys
gpg: key 3B4FE6ACC0B21F32: public key "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>" imported
gpg: key 40976EAF437D05B5: 60 signatures not checked due to missing keys
gpg: key 40976EAF437D05B5: public key "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2
[rocketmouse at archlinux tmp]$ gpg --verify Release.gpg Release
gpg: Signature made Fri 22 May 2020 06:51:01 CEST
gpg:                using DSA key 40976EAF437D05B5
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5
gpg: Signature made Fri 22 May 2020 06:51:01 CEST
gpg:                using RSA key 3B4FE6ACC0B21F32
gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32

More information about the ubuntu-users mailing list