opensuse leap 15.3 - gpg keys import fails

[lord_valarian]

openSUSE-Leap-15.3-DVD-x86_64.iso
openSUSE-Leap-15.3-DVD-x86_64.iso.sha256
openSUSE-Leap-15.3-DVD-x86_64.iso.sha256.asc

Code:

Name        : gpg-pubkey
Version     : 3dbdc284
Release     : 53674dd4
Architecture: (none)
Install Date: Fr 12 Sep 2014 15:02:09 CEST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Mo 05 Mai 2014 10:37:40 CEST
Build Host  : localhost
Relocations : (not relocatable)
Packager    : openSUSE Project Signing Key <opensuse@opensuse.org>
Summary     : gpg(openSUSE Project Signing Key <opensuse@opensuse.org>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.2 (NSS-3)

mQENBEkUTD8BCADWLy5d5IpJedHQQSXkC1VK/oAZlJEeBVpSZjMCn8LiHaI9Wq3G
3Vp6wvsP1b3kssJGzVFNctdXt5tjvOLxvrEfRJuGfqHTKILByqLzkeyWawbFNfSQ
93/8OunfSTXC1Sx3hgsNXQuOrNVKrDAQUqT620/jj94xNIg09bLSxsjN6EeTvyiO
mtE9H1J03o9tY6meNL/gcQhxBvwuo205np0JojYBP0pOfN8l9hnIOLkA0yu4ZXig
oKOVmf4iTjX4NImIWldT+UaWTO18NWcCrujtgHueytwYLBNV5N0oJIP2VYuLZfSD
VYuPllv7c6O2UEOXJsdbQaVuzU1HLocDyipnABEBAAG0NG9wZW5TVVNFIFByb2pl
Y3QgU2lnbmluZyBLZXkgPG9wZW5zdXNlQG9wZW5zdXNlLm9yZz6JATwEEwECACYC
GwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCU2dN1AUJHR8ElQAKCRC4iy/UPb3C
hGQrB/9teCZ3Nt8vHE0SC5NmYMAE1Spcjkzx6M4r4C70AVTMEQh/8BvgmwkKP/qI
CWo2vC1hMXRgLg/TnTtFDq7kW+mHsCXmf5OLh2qOWCKi55Vitlf6bmH7n+h34Sha
Ei8gAObSpZSF8BzPGl6v0QmEaGKM3O1oUbbB3Z8i6w21CTg7dbU5vGR8Yhi9rNtr
hqrPS+q2yftjNbsODagaOUb85ESfQGx/LqoMePD+7MqGpAXjKMZqsEDP0TbxTwSk
4UKnF4zFCYHPLK3y/hSH5SEJwwPY11l6JGdC1Ue8Zzaj7f//axUs/hTC0UZaEE+a
5v4gbqOcigKaFs9Lc3Bj8b/lE10Y
=i2TA
-----END PGP PUBLIC KEY BLOCK-----

Distribution: (none)

>gpg --verify openSUSE-Leap-15.3-DVD-x86_64.iso.sha256.asc
gpg: verify signatures failed: Unexpected error


>gpg --verify openSUSE-Leap-15.3-DVD-x86_64.iso.sha256

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.


Another day... Thanks to all.

[Sauerland]

If you do not paste the whole commandline (whole!!!) nobody can help.

[nrickert]

local user:

Code:

grep -i 'keyserver' ~/.gnupg/gpg.conf
grep: /home/lehann_beinne/.gnupg/gpg.conf: No such file or directory

Try:

Code:

grep -i keyserver ~/.gnupg/options

[lord_valarian]

I did post the command line and results. ?? opensuse linux 15.3


Anyway, I'm on a different opensuse 15.3 linux system. I did the full install on the successful sha256sum. As test to see what's wrong.

Code:

localhost:~/Downloads> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: directory '/home/username/.gnupg' created
gpg: keybox '/home/username/.gnupg/pubring.kbx' created
gpg: keyserver receive failed: No name
>gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: No name
>echo 'keyserver hkp://keys.gnupg.net' >> ~/.gnupg/gpg.conf
>gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: No name
>> grep -i keyserver ~/.gnupg/options
grep: /home/lehann_beinne/.gnupg/options: No such file or directory

reinstalled all gpg related files (update uncond...)

No change.

[nrickert]

Code:

% host keys.gnupg.net
Host keys.gnupg.net not found: 3(NXDOMAIN)

It looks as if there's currrently a DNS issue with "keys.gnupg.net"

[lord_valarian]

Code:

% host keys.gnupg.net
Host keys.gnupg.net not found: 3(NXDOMAIN)

It looks as if there's currrently a DNS issue with "keys.gnupg.net"

Same result. Thanks for the assist, let me know when it's fixed.

[Atronach]

Any update on how to solve this? Maybe a different keyserver than keys.gnupg.net? It's rather unpleasant that such a basic task as verifying the authenticity of the openSUSE installation ISO's checksum file is not possible for at least 2 months now.

Code:

david@atronach-opensuse:~> LANG=c gpg --keyserver keys.gnupg.net --receive-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: No name

Also, I followed the guide at https://en.opensuse.org/SDBownload_help#Checksums and there's no information about specifying a keyserver. I checked and I didn't have ~/.gnupg/gpg.conf present on my system. Is it a flaw in the documentation or am I supposed to have gpg.conf with a keyserver specified on a freshly installed system?

[nrickert]

Also, I followed the guide at https://en.opensuse.org/SDBownload_help#Checksums and there's no information about specifying a keyserver. I checked and I didn't have ~/.gnupg/gpg.conf present on my system. Is it a flaw in the documentation or am I supposed to have gpg.conf with a keyserver specified on a freshly installed system?

If you don't have "gpg.conf" then it should use "options" (if that file exists). Otherwise there is supposed to be a default set of options that are used.

I'm seeing the same error. I happen to already have that key in my keyring, so it isn't causing problems here. Maybe you should file a bug report on this.

[Atronach]

If you don't have "gpg.conf" then it should use "options" (if that file exists). Otherwise there is supposed to be a default set of options that are used.
I'm seeing the same error. I happen to already have that key in my keyring, so it isn't causing problems here. Maybe you should file a bug report on this.

I think I don't have the options file, at least not in ~/.gnupg nor in /etc/gnupg. However, I've found out, that a fallback key server is used when none is specified: hkps.pool.sks-keyservers.net: https://office.tuxcon.com/Encryption...b4421a1813c827. It's also stated in the dirmngr man page, a component of GPG:

If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-key-servers.net.

This hkps.pool.sks-keyservers.net is rather a pool of servers as you can read on its website and keys.gnupg.net is its DNS alias. Unfortunatelly, hkps.pool.sks-keyservers.net works neither and is being deprecated as again, stated on its website:

This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.

I checked the GPG upsteam issue tracker and found out that keys.gnupg.net not working is already reported: https://dev.gnupg.org/T5527. In this report there's a link to the stackoverwflow.com site which provides a workaroud: Just a use another key server. For a novice like me, it turns out there are actually a lot of key servers with OpenPGP-compatible keys and to download the openSUSE project public key, it doesn't matter which key server to use since they all synchronize with each other as stated in both the dirmngr and pgp man pages.

So I checked the key servers suggested on the aforementioned stackoverflow.com site:

Code:

david@atronach-opensuse:~> LANG=c gpg --keyserver hkps://keys.openpgp.org --search-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: data source: https://keys.openpgp.org:443
(1)       2048 bit RSA key B88B2FD43DBDC284, created: 2008-11-07
Keys 1-1 of 1 for "22C07BA534178CD02EFE22AAB88B2FD43DBDC284".  Enter number(s), N)ext, or Q)uit > n
david@atronach-opensuse:~> LANG=c gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: data source: https://162.213.33.9:443
(1)     openSUSE Project Signing Key <opensuse@opensuse.org>
          2048 bit RSA key B88B2FD43DBDC284, created: 2008-11-07
Keys 1-1 of 1 for "22C07BA534178CD02EFE22AAB88B2FD43DBDC284".  Enter number(s), N)ext, or Q)uit > n
david@atronach-opensuse:~> LANG=c gpg --keyserver hkps://pgp.mit.edu --search-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: data source: https://pgp.mit.edu:443
(1)     openSUSE Project Signing Key <opensuse@opensuse.org>
          2048 bit RSA key B88B2FD43DBDC284, created: 2008-11-07, expires: 2024-05-02
Keys 1-1 of 1 for "22C07BA534178CD02EFE22AAB88B2FD43DBDC284".  Enter number(s), N)ext, or Q)uit > n

The openSUSE project public key is available on all 3 keyservers. So I just chose keys.openpgp.org as my key server and put it into ~/.gnupg/dirmngr.conf:

Code:

keyserver hkps://keys.openpgp.org

... dirmngr.conf is the proper config file for keyservers according to the gpg man page

Then I tried to search the openSUSE project public key again but this time without --keyserver option:

Code:

david@atronach-opensuse:~> LANG=c gpg --search-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: error searching keyserver: No name
gpg: keyserver search failed: No name

That's actually another bug. I had to end the dirmngr process with gpgconf --kill dirmngr and rerun the command to properly reload the settings. This time it worked so I followed with importing the public key to my keyring:

Code:

david@atronach-opensuse:~> LANG=c gpg --receive-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: key B88B2FD43DBDC284: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

This time it complained about missing user ID so I tried to check if the key imported successfully but gpg --list-keys listed nothing. So I checked the output of --search-keys for all 3 key servers again and noticed that 1 line is missing when searching on keys.openpgp.org but is present when searching on the other two:

Code:

(1)     openSUSE Project Signing Key <opensuse@opensuse.org>

A while later I found out it's actually discussed and resolver here too: https://www.reddit.com/r/openSUSE/co...ation/fxw5uqw/
So I've rewritten dirmngr.conf to contain pgp.mit.edu instead of keys.openpgp.org and tried to import the key again:

Code:

david@atronach-opensuse:~> gpgconf --kill dirmngr
david@atronach-opensuse:~> LANG=c gpg --receive-keys 22C07BA534178CD02EFE22AAB88B2FD43DBDC284gpg: key B88B2FD43DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Finally this time it worked and since that moment I could successfully authenticate the openSUSE installation ISO's hash:

Code:

david@atronach-opensuse:/windows/Users/David/Downloads/GNU_Linux> LANG=c gpg --verify openSUSE-Leap-15.3-DVD-x86_64.iso.sha256.asc 
gpg: assuming signed data in 'openSUSE-Leap-15.3-DVD-x86_64.iso.sha256'
gpg: Signature made Wed May 26 14:56:40 2021 CEST
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284

[Atronach]

It turns out the import fail when using the keys.openpgp.org key server is not a bug but an intention. I think it's up to the openSUSE project to fix their key upload to the key server. I reported a bug here: https://bugzilla.opensuse.org/show_bug.cgi?id=1189597. There is also a link explaining why it's important.