Can't verify PGP on CLI tools

fieldtensor
fieldtensor
Community Member

I'm having trouble verifying the PGP signature on a download of the Linux CLI tools. This is a fresh Ubuntu 20.04 system on AWS, using the official AWS images for Ubuntu from Canonical. I'm using the instructions from https://support.1password.com/command-line-getting-started/ I have no idea how PGP works, so I can't debug this imagine. I imagine that the documentation has to be updated to mention whatever is causing this issue, since having the instructions fail out of the box on a system as common as Ubuntu feels like a major error work addressing. I imagine the commands in the docs worked out of the box in the past, but perhaps something changed on Ubuntu 20.04 to make them not work anymore.

$ ls
op op.sig op_linux_amd64_v1.3.0.zip
$ gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: key AC2D62742012EA22: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
$ gpg --verify op.sig
gpg: assuming signed data in 'op'
gpg: Signature made Fri Jul 17 16:33:21 2020 UTC
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Can't check signature: No public key
$


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ubuntu 20.04
Sync Type: Not Provided

Comments

  • felix_1p
    felix_1p
    1Password Alumni

    That's an odd error. I have reached out to our security team which manages the keys.

  • fieldtensor
    fieldtensor
    Community Member

    Thanks for the help. I have a follow up that might be related. I'm trying to install the CLI tools on a Mac using the .pkg installer. I'm getting a warning about signature verification failure during the install process (from a 3rd party security tool I have installed on this machine). It gives me a warning saying "Developer ID Installer: AgileBits Inc., Verification Failed", but it lets me proceed if I want to. Here is a paste of some terminal-based inspection of the .pkg file. Everything looks fine here, but running the GUI installer still says that the verification fails (with no reason/detail given).

    Perhaps this is related to the failure on Ubuntu, or perhaps not. Unfortunately the security pop-up I get in the GUI doesn't give any detail on the verification failure.

    $ spctl -a -vv -t install op_darwin_amd64_v1.3.0.pkg
    op_darwin_amd64_v1.3.0.pkg: accepted
    source=Notarized Developer ID
    origin=Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)

    $ pkgutil --check-signature op_darwin_amd64_v1.3.0.pkg
    Package "op_darwin_amd64_v1.3.0.pkg":
    Status: signed by a developer certificate issued by Apple for distribution
    Signed with a trusted timestamp on: 2020-07-17 16:31:17 +0000
    Certificate Chain:
    1. Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)
    Expires: 2024-10-23 17:10:43 +0000
    SHA256 Fingerprint:
    14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB
    98 5B C9 64 EE 97 04 C4 A1 C1
    ------------------------------------------------------------------------
    2. Developer ID Certification Authority
    Expires: 2027-02-01 22:12:15 +0000
    SHA256 Fingerprint:
    7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
    F2 9C 88 CF B0 B1 BA 63 58 7F
    ------------------------------------------------------------------------
    3. Apple Root CA
    Expires: 2035-02-09 21:40:36 +0000
    SHA256 Fingerprint:
    B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
    68 C5 BE 91 B5 A1 10 01 F0 24

  • Hey @fieldtensor, I've come across the first issue relating to the PGP signature verification once before.

    Public key servers for PGP keys are kind of like a phonebook — they allow you to look up the public key for someone else using something you know about that person. This could be their email address, name, or the key ID (known as the key fingerprint). There are lots of key servers out there and they usually share the public keys they hold with each other. When you run gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22, you're requesting the public key with the fingerprint of 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 from a key server.

    Not all key servers work in quite the same way though. Some key servers strip out some important information — something called the user ID — from the public key, and GPG doesn't know how to handle this currently. As a result, GPG isn't able to add the key in the first command; when the second command runs, there's no key that it can check against. This is why you see the error gpg: key AC2D62742012EA22: new key but contains no user ID - skipped in the first command and gpg: Can't check signature: No public key in the second.

    In that case, telling GPG to use a different key server is likely to work. I've just tested it and it looks like the Ubuntu key server still works as expected, so try this command instead:

    $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    

    If the key is successfully added using that command, then when you run:

    $ gpg --verify op.sig
    

    You should see a similar output to this:

    gpg: assuming signed data in 'op'
    gpg: Signature made Fri 17 Jul 2020 05:33:21 PM BST
    gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22
    

    This looks like the signature verification has failed at first glance from the gpg: WARNING: This key is not certified with a trusted signature! line, but in this case it has actually succeeded. The line we're looking for is gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown] — this tells you that the signature is good. You can read more on why you get the warning over here on our forums.

  • fieldtensor
    fieldtensor
    Community Member

    Perfect, that did the trick! I wonder what key server was being used by default if not keyserver.ubuntu.com (especially since this is an Ubuntu machine).

    I had indeed run into that page describing the warning. That makes sense. I'm getting the key finger print from here and I trust that these forum posts are authentic and unaltered, so that the side-channel identity verification makes it OK to ignore the warning.

    Thanks again!

  • DanielP
    DanielP
    1Password Alumni
    edited July 2020

    @fieldtensor:

    I wonder what key server was being used by default if not keyserver.ubuntu.com (especially since this is an Ubuntu machine).

    Probably keys.openpgp.org.

    ===
    Daniel
    1Password Security Team

This discussion has been closed.