[lug] apt-get: There is no public key available for the following key IDs

Tyler Cipriani tyler at tylercipriani.com
Wed Nov 16 18:14:11 MST 2016


On 16-11-16 16:00:17, Jed S. Baer wrote:
>I just did an apt-get update, got the usual lines of output, then at the
>bottom:
>
>Fetched 4,528 kB in 14s (319
>kB/s) Reading package lists... Done
>W: There is no public key available for the following key IDs:
>B7B9C16F2667CA5C

That key is evidently the new Ubuntzilla signing key. Found via:

    gpg --search-keys B7B9C16F2667CA5C
    (1)     Daniel Folkinshteyn (Ubuntuzilla signing key)

You can see it at pgp.mit.edu[0] (or any keyserver, that one's just got
an easy URL to remember).

>The various sites which come up just indicate downloading and installing
>the new key, but don't have much to say about how to determine if there's
>a genuine security issue.
>
>Any thoughts?

This is big medicine, and I'm not ashamed to say that I'm not too good
with gpg (becuase it's a bear). If anyone on this list cares to correct
my form, please do! Caveat emptor: I'm probably doing it wrong.

Here's how I would try to verify this key.

First, I assume that I, at some point, had the old signing key in my apt
keyring, so I would probably start by importing those keys in a new
keyring:

    mkdir /tmp/keys
    sudo apt-key exportall | gpg --homedir /tmp/keys --import

Then I would download the new key:

    gpg --homedir /tmp/keys --search-keys B7B9C16F2667CA5C

Then, I would check the signatures on this key.

    gpg --homedir /tmp/keys --check-sigs C77205F7194A3E1ABE2DF9A4B7B9C16F2667CA5C

If I saw that I had more than just the self-sig from this key when I checked
the key's signatures, I'd probably accept its authenticity.

== Rationale ==

If the old key is in my apt keyring -- which it must be for this to have
worked at some point (the old key is probably c1289a29[1]), and I
trust *that* key, then I should be able to verify the signature on the
new key with the old public key that is in my keyring.

I think it's questionable whether or not that means I "trust" this new
key, but I trust it as much as I trust that my current system isn't
compromised, I guess.

Again, take this with a grain of salt -- I could be completely wrong, and
be horribly and publicly schooled on gpg and apt :)

-- Tyler

[0]. <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB7B9C16F2667CA5C>
[1]. <https://pgp.mit.edu/pks/lookup?op=get&search=0xCCC158AFC1289A29>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20161116/8034cbf7/attachment.pgp>


More information about the LUG mailing list