4

I am trying to install the latest Tor Browser Bundle on Arch Linux:

$ makepkg --syncdeps --install
[...]
==> Verifying source file signatures with gpg...
    tor-browser-linux64-4.0.8_en-US.tar.xz ... FAILED (unknown public key 2E1AC68ED40814E0)
==> ERROR: One or more PGP signatures could not be verified!

I am not able to import the GPG key:

$ gpg --keyserver keys.gnupg.net --recv-keys 2E1AC68ED40814E0
gpg: keyserver receive failed: No keyserver available
$ gpg --keyserver pgp.mit.edu --recv-keys 2E1AC68ED40814E0
gpg: keyserver receive failed: No keyserver available

The command fails immediately every time. This has happened before with other keys, and I'm wondering if GPG gets itself into a bind sometimes. I am perfectly able to use the Internet otherwise, and I have a bare bones GPG configuration:

$ grep -ve '^#' -e '^$' ~/.gnupg/gpg.conf 
require-cross-certification
keyserver hkp://pgp.mit.edu

What can I do to actually download and import the key using gpg? sudo pacman-key --recv-key 2E1AC68ED40814E0 runs fine, but it appears that keyring isn't used by makepkg.

l0b0
  • 51,350

3 Answers3

3

I can not reproduce this problem. Here the import works fine (forgive the German output):

$ gpg --keyserver keys.gnupg.net --recv-keys 2E1AC68ED40814E0
gpg: Schlüssel D40814E0 von hkp-Server keys.gnupg.net anfordern
gpg: Schlüssel 93298290: Öffentlicher Schlüssel "Tor Browser Developers (signing key) <torbrowser@torproject.org>" importiert
gpg: 3 marginal-needed, 1 complete-needed, PGP Vertrauensmodell
gpg: Tiefe: 0  gültig:   3  unterschrieben:  33  Vertrauen: 0-, 0q, 0n, 0m, 0f, 3u
gpg: Tiefe: 1  gültig:  33  unterschrieben: 132  Vertrauen: 33-, 0q, 0n, 0m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2015-05-01
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:               importiert: 1  (RSA: 1)
gpg --keyserver keys.gnupg.net --recv-keys 2E1AC68ED40814E0  9.66s user 0.42s system 93% cpu 10.742 total

It looks like you are having a problem with GnuPG, not Tor.

3

Your problem is with GnuPG. I can't tell you how to fix GnuPG, but if you just want to import the key, then I suggest that don't let gpg fetch the key - download it yourself from the keyserver and then let gpg import it.

Or as a command line:

curl "https://pgp.mit.edu/pks/lookup?op=get&search=0x4E2C6E8793298290" -o - | gpg --import

  • 1
    Could you edit that to say https? I don't think you want to import keys which were downloaded on a plaintext connection. – l0b0 Aug 26 '15 at 22:00
  • 2
    Changed it, even if I don't see the necessity. He won't be able to hide the fact, that he is using tor, so it's not important that someone can see which key he downloaded. And to make sure that it is the right key, you should always verify the fingerprint. –  Aug 27 '15 at 05:22
  • I've also experienced the same problem here and the above seemed to work. – johnildergleidisson Dec 04 '15 at 19:22
0

I had the same issue, and I didn't know how to handle it either. I thought it might be a firewall issue, but that wasn't it. I went to sks-keyservers.net and looked around. Noticed the ipv4.pool.sks-keyservers.net pool and wondered if that might help. It worked. So my solution was gpg --keyserver ipv4.pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 and everything worked fine.

Dennis
  • 1