[issue] Can't Verify PGP

fdafdsfdsfdcfdsd · August 23, 2019, 2:58am

As the title states, I get a different output then listed:

usr@usr:~$ gpg --keyserver keys.gnupg.net --recv 04EF2F666D36C354058B9DD450C78B6F9FF2EC85
gpg: keyring `/home/usr/.gnupg/secring.gpg' created
gpg: keyring `/home/usr/.gnupg/pubring.gpg' created
gpg: requesting key 9FF2EC85 from hkp server keys.gnupg.net
gpg: key 9FF2EC85: public key "HulaHoop" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
usr@usr:~$ gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"
pub   4096R/9FF2EC85 2018-11-26
uid                  HulaHoop
sig!3        9FF2EC85 2018-11-26  HulaHoop
sub   4096R/CEE41ACC 2018-11-26
sig!         9FF2EC85 2018-11-26  HulaHoop

1 signature not checked due to a missing key
usr@usr:~$

I’m assuming this is a documentation issue, but want to verify.
Either way, the documentation should be made more clear.

archive [dot] is/1Eq50#Verify_the_Whonix_.E2.84.A2_Images

The documentation says the output should be:

gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg:               imported: 1

pub   rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
      04EF2F666D36C354058B9DD450C78B6F9FF2EC85
uid                   [ unknown] HulaHoop
sig!         0x8D66066A2EEACCDA 2018-12-14  Patrick Schleizer <adrelanos@riseup.net>
sig!3        0x50C78B6F9FF2EC85 2018-11-26  HulaHoop
sub   rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig!         0x50C78B6F9FF2EC85 2018-11-26  HulaHoop

gpg: 3 good signatures

0brand · August 23, 2019, 4:01am

The output matches up.

Your output

9FF2EC85

Documentation matches your output. One is a long key id. the other is short.

0x50C78B6F9FF2EC85

0x50C78B6F 9FF2EC85

fdafdsfdsfdcfdsd:

The documentation says the output should be:

gpg: key 0x50C78B6F 9FF2EC85 : public key “HulaHoop” imported
gpg: Total number processed: 1
gpg: imported: 1

pub rsa4096/0x50C78B6F 9FF2EC85 2018-11-26 [SCEA]
04EF2F666D36C354058B9DD450C78B6F9FF2EC85
uid [ unknown] HulaHoop
sig! 0x8D66066A2EEACCDA 2018-12-14 Patrick Schleizer adrelanos@riseup.net
sig!3 0x50C78B6F 9FF2EC85 2018-11-26 HulaHoop
sub rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig! 0x50C78B6F 9FF2EC85 2018-11-26 HulaHoop

gpg: 3 good signatures

You still need to Verify the archive with Hulahoop’s key. (step 4)

fdafdsfdsfdcfdsd1 · August 23, 2019, 5:23am

@0brand Thanks!

You may want to consider updating the documentation to reflect this.

0brand · August 23, 2019, 10:05am

Hi fdafdsfdsfdcfdsd1

Its a little late… Welcome to the Whonix community!

When I run steps for verification I get the same output thats on that page.

Patrick · August 23, 2019, 12:40pm

Created [Help Welcome] KVM Development - staying the course - #313 by Patrick for it.

random3uuj · March 14, 2020, 1:33am

I am having the same issue. I would not care if it verified at the end. What am I missing?

gpg --verify Whonix.libvirt.xz.asc Whonix.libvirt.xz

gpg: Signature made Sun 09 Feb 2020 06:37:33 PM PST
gpg: using RSA key 66F46246C900707FF10DC1E4EB27D2F8CEE41ACC
gpg: BAD signature from “HulaHoop” [unknown]

Patrick · March 14, 2020, 9:51am

re-download

nurmagoz · July 21, 2020, 8:35pm

1 sginature not checked due to a missing key

any idea how to fix that?

Patrick · July 21, 2020, 10:54pm

gpg usability mess. Need to import the missing key. Which in this case means my key.

[issue] Can't Verify PGP

gpg --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz

gpg --verify Whonix.libvirt.xz.asc Whonix.libvirt.xz