[lug] apt-get: There is no public key available for the following key IDs

Jed S. Baer blug at jbaer.cotse.net
Wed Nov 16 19:01:54 MST 2016 

On Wed, 16 Nov 2016 18:14:11 -0700
Tyler Cipriani wrote:

> On 16-11-16 16:00:17, Jed S. Baer wrote:
> >I just did an apt-get update, got the usual lines of output, then at
> >the bottom:
> >
> >Fetched 4,528 kB in 14s (319
> >kB/s) Reading package lists... Done
> >W: There is no public key available for the following key IDs:
> >B7B9C16F2667CA5C
> 
> That key is evidently the new Ubuntzilla signing key. Found via:
> 
>     gpg --search-keys B7B9C16F2667CA5C
>     (1)     Daniel Folkinshteyn (Ubuntuzilla signing key)
> 
> You can see it at pgp.mit.edu[0] (or any keyserver, that one's just got
> an easy URL to remember).

The 1st thing I tried was a web interface search - wasn't MIT, I think I
used OpenPGP, but maybe I forgot to 0x prefix it but I didn't find it. Not
sure why I didn't think of trying the gpg command line though - thanks.

However, at https://sourceforge.net/p/ubuntuzilla/wiki/Main_Page/
it list the key ID as C1289A29. I suppose that's just a documentation
failure. pgp.mit.edu shows it as having been revoked.

> >The various sites which come up just indicate downloading and
> >installing the new key, but don't have much to say about how to
> >determine if there's a genuine security issue.
> >
> >Any thoughts?
> 
> This is big medicine, and I'm not ashamed to say that I'm not too good
> with gpg (becuase it's a bear). If anyone on this list cares to correct
> my form, please do! Caveat emptor: I'm probably doing it wrong.
> 
> Here's how I would try to verify this key.
> 
> First, I assume that I, at some point, had the old signing key in my apt
> keyring, so I would probably start by importing those keys in a new
> keyring:
> 
>     mkdir /tmp/keys
>     sudo apt-key exportall | gpg --homedir /tmp/keys --import
 [...]

I did the equivalent, except I used gpa, and apt-key export KEYID. Seems
easier.

So, he self-signed his new key, and also signed it with his old key. The
old key has 2 signatures besides his self-sign, not himself. I don't know
how much this helps me, as I could go on for a long time looking up keys
and sigs. :)

> If I saw that I had more than just the self-sig from this key when I
> checked the key's signatures, I'd probably accept its authenticity.
> 
> == Rationale ==
> 
> If the old key is in my apt keyring -- which it must be for this to have
> worked at some point (the old key is probably c1289a29[1]), and I
> trust *that* key, then I should be able to verify the signature on the
> new key with the old public key that is in my keyring.
> 
> I think it's questionable whether or not that means I "trust" this new
> key, but I trust it as much as I trust that my current system isn't
> compromised, I guess.

The whole 'web of trust' thing doesn't seem to help much here. But you're
right -- when it comes to repository keys, we just trust Ubuntu, or Mint,
or whomever the packager is. And when adding a ppa, IIRC there's a
command to add the key, and I just followed the instructions for that
from the Sourceforge site.

More information about the LUG mailing list