2

Recently, I downloaded several public keys with gpg, in order to fix Debian package system after upgrading to Stretch. The commands were: 

# gpg --recv-keys EF0F382A1A7B6500 # gpg --recv-keys 8B48AD6246925553 # gpg --recv-keys 7638D0442B90D010

Those keys were correctly imported into my GPG keyring. However, I would like to check if they have not been tampered within the process. If I check one of these keys with this command

# gpg --check-sigs 8B48AD6246925553

I could state that it contains one valid signature, according to the process output: 

gpg: 1 good signature gpg: 25 signatures not checked due to missing keys pub rsa4096 2012-04-27 [SC] [caduca: 2020-04-25] A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 uid [desconocida] Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]> sig!3 8B48AD6246925553 2012-04-27 Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>

The literal sig!3 indicates that the signature is good, but trusting marginally Listing signatures related with this key gives me this result:

# gpg --list-sigs 8B48AD6246925553 pub rsa4096 2012-04-27 [SC] [caduca: 2020-04-25] A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 uid [desconocida] Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]> sig 3 715ED6A07E7B8AC9 2012-04-27 [ID de usuario no encontrado] sig 040BA4EB3B7F81DA 2016-02-16 [ID de usuario no encontrado] ... (up to 25 signatures not checked)

My question is: Does GPG check the new downloaded key and its signatures against an older (and previously existing) key on my system? Is there a way that I can validate that signature with ID 715ED6A07E7B8AC9 is valid? (I could compute a hash on any file and compare it with a fresh Debian installation on another computer)

Improve this question
0

1 Answer 1

Reset to default
1

This is what I could guess, since I have been checking two aspects:

  1. GPG's source code (version 2.1.18, file g10/sig-check.c)

    • The function that validates signatures will check the following:

      • Look up the public key that created the signature.
      • the signature was not created prior to the key.
      • public key was created in the past.
      • no unsupported features.
      • hash against digest.

    • Since I imported three keys into an empty keyring, nothing looks wrong (date, hash, etc.) except the fact that there is no other key to check the signature against it. Thus, the signature looks like self-signed (no other key IDs are found) with the sig!3 result (trusting marginally) and the importing process warned me with "no ultimately trusted keys found"

  2. A fresh Debian installation in a virtual machine.

    I exported one of the public keys with this command:

    gpg --armor --export EF0F382A1A7B6500 | gpg --list-packets --verbose --debug 0x02

    Not only will it dump the key part, but also signature packets. I could compare my GPG key contained in the GPG keyring, against the same KEYID in another computer, contained in the APT keyring. The whole byte sequences were identical.

Something similar is described in Debian Manual/Securing Debian (section 7.5.3.8, Verifying key integrity)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.