Retrieve public keys that signed a key I have

5

1

I am trying to figure out how to do the following in one command.

I have an ISO image along with its signature file *.sig. I tried to verify it via GnuPG 2 but it reported a missing public key giving me its fingerprint. I have successfully retrieved a key using the following

gpg2 --keyserver hkp://keys.gnupg.net --recv-key <fingerprint>

but when I checked the key

gpg2 --edit-key <KEY ID>

followed by

gpg> check

I have got this message:

27 signatures not checked due to missing keys

How can I retrieve all these keys to check that the key I have got is trusted?

Celdor

Posted 2017-05-27T10:31:19.273

Reputation: 313

2I found a workaround using shell: gpg2 --list-sigs <KEY ID> | grep "ID not found" | cut -c 14-29 | xargs --interactive gpg2 --keyserver hkp://keys.gnupg.net --recv-key' but I am still interested ingpg2` if it exists. You know relying on number of characters in output is not the best approach – Celdor – 2017-05-27T11:07:03.967

It turns out I need to cut with 14-31 instead of 14-29 – Lucius Hu – 2019-05-28T02:54:04.170

Answers

4

You're not missing keys for the ISO's signature, but keys which issued certifications on the key that signed the image.

GnuPG does not recursively download other keys, you will have to do this on your own (for example, by running a command line like the one you proposed in the comments). But be aware that the certificates provided by other keys do not already assert the key's valid, it is very easy to generate whole networks of keys that even mimic the real OpenPGP web of trust like performed in the Evil 32 attack. If you want to validate some key by checking certifications, always build a trust path that ends at your own key (or some other key you verified through another medium, for example by meeting the person).

Jens Erat

Posted 2017-05-27T10:31:19.273

Reputation: 14 141

Thanks for your answer. I feel like I need to go and read the whole manual. This is quite confusing; I know I can trust a key myself. Also, I still don't know if trust and validation is the same. I know I can sign a key. I read keys can be valid if certain conditions match, e.g. a key can be signed by one of the keys I fully trust. I don't understand what "issue certifications" mean! Is it the same as signing keys? Thanks – Celdor – 2017-05-28T22:41:40.257

Asked: 2017-05-27T10:31:19.273

Viewed: 3 616 times

Active: 2017-05-28T13:55:10.613