Verifying code signature for op

This discussion was created from comments split from: Appimage GPG Signature [Under investigation].

Comments

  • dmitry1pass
    dmitry1pass
    Community Member

    Hi, Ubuntu 20.04.2 LTS

    1. doc is wrong https://support.1password.com/command-line-getting-started/

    $ gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    gpg: key AC2D62742012EA22: new key but contains no user ID - skipped
    gpg: Total number processed: 1
    gpg: w/o user IDs: 1

    $ gpg --verify op.sig op
    gpg: Signature made Пт 23 апр 2021 18:43:47 EEST
    gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    gpg: Can't check signature: No public key

    1. I tried to set keyserver.ubuntu.com but there is a warning

    $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    gpg: key AC2D62742012EA22: public key "Code signing for 1Password codesign@1password.com" imported
    gpg: Total number processed: 1
    gpg: imported: 1

    $ gpg --verify op.sig op
    gpg: Signature made Пт 23 апр 2021 18:43:47 EEST
    gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    gpg: Good signature from "Code signing for 1Password codesign@1password.com" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22

  • Hey @dmitry1pass, just to let you know, I'm going to move your post to the CLI category as it seems your post is about that.

    As for the issues you mentioned, it appears that everything has been confirmed correctly. As a brief bit of background, PGP key servers are a bit like phonebooks – they let you find the public key for someone else using something you know about that person. This could be an email address, name, or the key ID (known as the key fingerprint). There are several key servers out there, and they usually share the PGP keys they hold with each other. So when you run gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22, you're requesting the public key with the fingerprint of 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 from a key server.

    But just as phonebooks have different formatting and provide different information, not all key servers work in quite the same way. Some key servers strip out some important information – something called the user ID – from the public key, and GPG doesn't know how to handle this currently. This is a bit like a phonebook leaving out all the phone numbers. As a result, GPG isn't able to add the key in the first attempt you made; when the second command runs, there's no key that it can check against. This is why you see the error gpg: key AC2D62742012EA22: new key but contains no user ID - skipped in the first command, and gpg: Can't check signature: No public key in the second.

    In your second attempt, you specify a keyserver that doesn't strip out the user ID. This means that the PGP key is successfully added. The warning you receive in the second command makes it look like the signature verification has failed, but that isn't the case. The important line here is gpg: Good signature from "Code signing for 1Password codesign@1password.com" [unknown] – this tells you that the signature is good. You can read more on why you get the warning over here in our community.

This discussion has been closed.