On Tue, Nov 2, 2021 at 4:05 PM Tadeus Prastowo <0x66726...@gmail.com> wrote: > > Hello, > > The signature on a Linux kernel can be verified successfully using > `--auto-key-retrieve', but the signature on an Emacs cannot be > verified in the same manner because gpg is unable to retrieve the > needed public key automatically. > > The GPG version is 2.2.19 (libgcrypt 1.8.5, if that matters) as > shipped by Ubuntu 20.04.3. I manage to locate only one post in the > GnuPG mailing list archive with respect to this `--auto-key-retrieve' > failure. But, as far as I can see it, the post has no response.
The post in question is https://lists.gnupg.org/pipermail/gnupg-users/2019-October/062940.html > Perhaps one of you can reproduce the problem by the following steps? > > 1. Test using Linux kernel. > wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz > https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign > unxz < linux-5.11.tar.xz | gpg --keyserver > hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify > linux-5.11.tar.sign - > > The output of the last command is as follows: > gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET > gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E > gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com > gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman > <gre...@linuxfoundation.org>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: Good signature from "Greg Kroah-Hartman > <gre...@linuxfoundation.org>" [unknown] > gpg: aka "Greg Kroah-Hartman <gre...@kernel.org>" [unknown] > gpg: aka "Greg Kroah-Hartman (Linux kernel stable > release signing key) <g...@kroah.com>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E > > 2. Test using Emacs. > wget http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig > http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz > cat emacs-27.2.tar.xz | gpg --keyserver hkp://keyserver.ubuntu.com:80 > --auto-key-retrieve --verify emacs-27.2.tar.xz.sig - > > The output of the last command is as follows: > gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET > gpg: using RSA key 91C1262F01EB8D39 > gpg: Can't check signature: No public key > > The key 0x91C1262F01EB8D39, however, can be retrieved manually just > fine as shown below: > gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 0x91C1262F01EB8D39 > gpg: key 91C1262F01EB8D39: public key "Eli Zaretskii (eliz) > <e...@gnu.org>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > > Any idea why the --auto-key-retrieve feature fails for some keys? > > Thank you. > > -- > Best regards, > Tadeus _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users