2

I have the fingerprint 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6 and I want to download the public key to verify the archive. I'd like to download the key from terminal, and I try to use that command:

gpg  --search-keys "71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6"

And I get this result

gpg: data source: https://keys.openpgp.org:443
(1)   2048 bit RSA key 74810B012346C9A6, created: 2011-08-24
Keys 1-1 of 1 for "71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6".  
Enter number(s), N)ext, or Q)uit > n

Then I use recv-key

gpg --recv-key 74810B012346C9A6

Result:

gpg: key 74810B012346C9A6: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

I did some research and I tried again with:

gpg --keyserver keyserver.ubuntu.com --recv 74810B012346C9A6

result:

gpg: key 74810B012346C9A6: public key "Wladimir J. van der Laan <laanwj@visucore.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

With the command list-keys I can see that result: gpg --list-keys

pub   rsa2048 2011-08-24 [SC] [expires: 2022-02-10]
      71A3B16735405025D447E8F274810B012346C9A6
uid           [ unknown] Wladimir J. van der Laan <laanwj@visucore.com>
uid           [ unknown] Wladimir J. van der Laan <laanwj@gmail.com>
uid           [ unknown] Wladimir J. van der Laan <laanwj@protonmail.com>
sub   rsa2048 2017-05-17 [S] [expires: 2022-02-10]
sub   rsa2048 2017-05-17 [A] [expires: 2022-02-10]
sub   rsa2048 2011-08-24 [E]

Now, I tried to do the verification

gpg --verify SHA256SUMS.asc

result:

gpg: Signature made Sun Nov 24 10:14:42 2019 CET
gpg:                using RSA key 90C8019E36C2E964
gpg: Can't check signature: No public key

I tried to download the public key form https://bitcoin.org/en/full-node#mac-os-x-yosemite-1010x and https://keys.openpgp.org (with fingerprint) But I Get different values.

monkeyUser
  • 4,301
  • 7
  • 46
  • 95

2 Answers2

2

This question was asked over 1 year ago, but I'll answer anyway in case it helps someone:

First, at step:

Enter number(s), N)ext, or Q)uit > n

You should've typed 1 to import that key. That would've imported it right away, so you wouldn't have to use --recv-keys later.

But the real reason the verification failed is because the key you imported is different from the key used to sign the file. As you can read from the link you posted:

Earlier releases were signed by Wladimir J. van der Laan’s regular key. That key’s fingerprint is: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6.

So you imported an old key. The correct one is exactly there:

The 0.11 and later releases are signed by Wladimir J. van der Laan’s releases key with the fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964.

Finally, the key you imported is marked as [ unknown] because you haven't signed it. You can do that by using gpg --sign-key <user-id>, so it will be marked as [ full ], meaning you trust it.

Carcamano
  • 1,153
  • 2
  • 11
  • 24
0

Import keys from gist.github.com/laanwj/8368525bba4d89488dd5a0418884d91d

while read line; do gpg  --keyserver keyserver.ubuntu.com  --recv-key ${line:0:41}; done < keys.txt  |  curl  -fsSL https://gist.githubusercontent.com/laanwj/8368525bba4d89488dd5a0418884d91d/raw/0ff5573bf5c0b932d2ca567f77fadf038816c7b8/keys.txt  -o  keys.txt
RandyMcMillan
  • 59
  • 2
  • 3