Verifying code signature for op
Comments
-
Hi, Ubuntu 20.04.2 LTS
$ gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1$ gpg --verify op.sig op
gpg: Signature made Пт 23 апр 2021 18:43:47 EEST
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Can't check signature: No public key- I tried to set keyserver.ubuntu.com but there is a warning
$ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22: public key "Code signing for 1Password codesign@1password.com" imported
gpg: Total number processed: 1
gpg: imported: 1$ gpg --verify op.sig op
gpg: Signature made Пт 23 апр 2021 18:43:47 EEST
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password codesign@1password.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA220 -
Hey @dmitry1pass, just to let you know, I'm going to move your post to the CLI category as it seems your post is about that.
As for the issues you mentioned, it appears that everything has been confirmed correctly. As a brief bit of background, PGP key servers are a bit like phonebooks – they let you find the public key for someone else using something you know about that person. This could be an email address, name, or the key ID (known as the key fingerprint). There are several key servers out there, and they usually share the PGP keys they hold with each other. So when you run
gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
, you're requesting the public key with the fingerprint of3FEF9748469ADBE15DA7CA80AC2D62742012EA22
from a key server.But just as phonebooks have different formatting and provide different information, not all key servers work in quite the same way. Some key servers strip out some important information – something called the user ID – from the public key, and GPG doesn't know how to handle this currently. This is a bit like a phonebook leaving out all the phone numbers. As a result, GPG isn't able to add the key in the first attempt you made; when the second command runs, there's no key that it can check against. This is why you see the error
gpg: key AC2D62742012EA22: new key but contains no user ID - skipped
in the first command, andgpg: Can't check signature: No public key
in the second.In your second attempt, you specify a keyserver that doesn't strip out the user ID. This means that the PGP key is successfully added. The warning you receive in the second command makes it look like the signature verification has failed, but that isn't the case. The important line here is
gpg: Good signature from "Code signing for 1Password codesign@1password.com" [unknown]
– this tells you that the signature is good. You can read more on why you get the warning over here in our community.0