gpg: Can't check signature (FreeBSD)

3

I follow this SA https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc

[FreeBSD 10.0] <= My FreeBSD version 
fetch <link>/openssl-10.0.patch 
fetch <link>/openssl-10.0.patch.asc 
gpg --verify openssl-10.0.patch.asc

And I get an error msg from the third command.

gpg: WARNING: using insecure memory! gpg: please see
http://www.gnupg.org/documentation/faqs.html for more information
gpg: Signature made Tue Sep 9 ... using RSA keyt ID 5DCF6AE7
gpg: Can't check signature: public key not found

I've already run chmod 4755 /path/to/gpg chmod u+s /path/to/gpg But why the first warning is still exist?

Clearly, I got failed from the gpg --verify command. I've already google some solution. Lots people worked well at this doc. Some of them is about repo problem. There is no useful answer for me. I never set any config about gpg. How should I do to let it work?

Kir Chou

Posted 2014-09-16T15:12:37.140

Reputation: 133

Answers

1

The message tells you that the signer's key 5DCF6AE7 isn't in your key store yet. Fetch it from a keyserver of your choice:

$ gpg --recv-keys 5DCF6AE7
gpg: requesting key 5DCF6AE7 from hkp server pool.sks-keyservers.net
gpg: key 5DCF6AE7: "FreeBSD Security Officer <security-officer@FreeBSD.org>" not changed

Very likely there's nothing wrong with the file nor the repository and you'll be able to verify the signature after fetching the key.

Jens Erat

Posted 2014-09-16T15:12:37.140

Reputation: 14 141

Thx, I verified successfully. Then, I decided to ignore the first warning msg. – Kir Chou – 2014-09-17T07:55:48.940

If the system is under your direct, physical control then you can pretty much ignore that error. If it's hosted elsewhere then it may be an issue (it means that GPG is using parts of RAM and cache that are note or might not be appropriately protected. For most people this isn't an issue; those who should be concerned will already be taking steps to protect themselves. – Ben – 2015-06-19T09:53:59.437