6

In order to compile a new kernel on my Debian jessie, I am trying to verify the GPG key , following the instruction on the official website.

I have download the the linux-3.18.35.tar.sign and linux-3.18.35.tar.xz version and unzip it using unzx.

To verify the .tar archive using the command :

gpg --verify linux-3.18.35.tar.sign

I get:

gpg: assuming signed data in `linux-3.18.35.tar'
gpg: Signature made Wed 08 Jun 2016 01:19:29 AM CET using RSA key ID 6092693E
gpg: Can't check signature: public key not found

To get the public key from the PGP keyserver :

#gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

gpg: requesting key 6092693E from hkp server keys.gnupg.net
?: keys.gnupg.net: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I get a similar problem with the 4.4.13 version too.

I have tried the following answer,

# gpg --keyserver subkeys.pgp.net --recv-keys 6092693E && gpg --export --armor 6092693E | sudo apt-key add -

gpg: requesting key 6092693E from hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

And:

# gpg --keyserver subkeys.pgp.net:80 --recv-keys 6092693E

gpg: requesting key 6092693E from subkeys.pgp.net:80
gpgkeys: no keyserver host provided
gpg: keyserver internal error
gpg: keyserver receive failed: keyserver error

How to verify the kernel signature correctly?

GAD3R
  • 66,769

1 Answers1

8

You only need to have the public key in your keyring:

gpg --keyserver subkeys.pgp.net --recv-keys 0x38DBBDC86092693E

(use the long identifier!). If it times out, try again — there are multiple servers, and some of them seem to be having issues currently. apt-key etc. aren't involved in this at all.

Once you have the key in your keyring,

gpg --verify linux-3.18.35.tar.sign

should work.

You can also configure a key server pool instead (this is a good idea anyway):

  1. install gnupg-curl (apt-get install gnupg-curl on Debian);
  2. download the SKS CA

    cd ~/.gnupg; wget https://sks-keyservers.net/sks-keyservers.netCA.pem
    
  3. verify it;

  4. add the following line to your ~/.gnupg/gpg.conf, or change it if it's already present:

    keyserver hkps://hkps.pool.sks-keyservers.net
    

    and set up the certificate by either adding

    keyserver-options ca-cert-file=/home/.../.gnupg/sks-keyservers.netCA.pem
    

    to ~/.gnupg/gpg.conf (for GnuPG 1) or

    keyserver hkps://hkps.pool.sks-keyservers.net
    hkp-cacert /home/.../.gnupg/sks-keyservers.netCA.pem
    

    to ~/.gnupg/dirmngr.conf (for GnuPG 2), replacing the ... in the path with the appropriate value for your home directory in both cases.

Once you've done that,

gpg --recv-keys 0x38DBBDC86092693E

should retrieve the key reliably.

If all that fails, you can download and import the key manually:

curl 'http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x38DBBDC86092693E' > gregkh.key
gpg --import gregkh.key
Stephen Kitt
  • 434,908
  • 1
    After runing gpg --verify linux-3.18.35.tar.sign i recived gpg: Good signature from "Greg Kroah-Hartman... And " There is no indication that the signature belongs to the owner" – GAD3R Jun 10 '16 at 21:09
  • 2
    @GAD3R I'm not sure why that would fix it either... The messages you're getting from gpg now mean that the signature is valid, but that you don't have any personal connection to Greg KH's key. If you don't have a GPG key in the strong set that's perfectly normal. What it all means is that the archive you downloaded was really signed by key 0x38DBBDC86092693E, but you don't have any means of verifying that the key actually belongs to Greg KH (through key signatures ultimately connected to your GPG key). – Stephen Kitt Jun 10 '16 at 21:21
  • On a mac with gpg 2.2.23 installed via homebrew this did not work. I was able to download keys with gpg --keyserver pool.sks-keyservers.net --recv-keys <keyid> – JGurtz Oct 03 '20 at 22:24
  • 1
    SKS keyservers seem to be deprecated, and the DNS records were deleted on 2021-06-21. Try host hkps.pool.sks-keyservers.net or host pool.sks-keyservers.net. Or keys.gnupg.net for that matter. – x-yuri Aug 02 '21 at 18:52
  • 2
    @x-yuri yes, see sks-keyservers gone. What to use instead? I suppose I should update all my answers which refer to SKS... – Stephen Kitt Aug 02 '21 at 19:26
  • @StephenKitt With all your answers, you have your work cut out for you! :) Your not alone though; there are many out-dated OpenPGP-related answers and web pages on the Internet (some even on gnupg.org). This answer could probably benefit with generaous copying from https://unix.stackexchange.com/a/352774/22812 – Anthony Geoghegan Dec 22 '21 at 01:20