[lug] apt-get: There is no public key available for the following key IDs

Tyler Cipriani tyler at tylercipriani.com
Thu Nov 17 09:57:48 MST 2016 

On 16-11-16 19:26:26, Jed S. Baer wrote:
>When it comes to trust and public keys, it seems as if it's turtles all
>the way down. :) (Meaning, I have not personally verified any of the
>public keys on any keyring on my system.)

Eventually you meet a turtle you can trust :)

For instance, you implicitly trust the Linux kernel insofar as you trust
your computer, ipso facto, you can trust software keys that are signed
by the Linux kernel key. And if you trust those keys...and so on.

This is the idea of the Web of Trust.

There's actually a pgp pathfinder tool online[0] that you can use to
take keys that you trust implicitly and find paths of trust to keys that
you are trying to verify.

For instance, the *new* key is signed by the old key
0xCCC158AFC1289A29[1] (which is not revoked -- although
0x1c144eb4c1289a29[2] is revoked which is a different Ubuntuzilla
signing key). There is an extant path from the Linux Kernel stable
signing key to the key you are trying to verify[3]:

    6092693E  Greg Kroah-Hartman (Linux kernel stable release signing key) <greg.at.kroah.com> #3503 signs
    B4AFF2C2  stats  Markos Chandras <hwoarang.at.gentoo.org> #666 signs
    6B17EA1E  stats  Ludovic Hirlimann (Work key) <lhirlimann.at.mozilla.com> #155 signs
    9753DFAB  stats  Chris Double <chris.double.at.double.co.nz> #8729 signs
    C1289A29  stats  Daniel Folkinshteyn (Ubuntuzilla signing key) <nanotube.at.users.sourceforge.net> #31443

which signs

    2667ca5c  stats  Daniel Folkinshteyn (Ubuntuzilla signing key) <nanotube.at.users.sourceforge.net>

(according to pgp.mit.edu, although it seems pgp.cs.uu.nl doesn't see
that last one yet)

And you can trust all of the above because you can trust me[4] ;)

-- Tyler

[0]. <http://pgp.cs.uu.nl/>
[1]. <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xCCC158AFC1289A29>
[2]. <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x1C144EB4C1289A29>
[3]. <http://pgp.cs.uu.nl/mk_path.cgi?FROM=38DBBDC86092693E&TO=0xccc158afc1289a29&PATHS=trust+paths>
[4]. <http://pgp.cs.uu.nl/mk_path.cgi?FROM=38DBBDC86092693E&TO=0xF6DAD285018FAC02&PATHS=trust+paths>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20161117/5754fafc/attachment.pgp>

More information about the LUG mailing list