5

I'm installing the Ultimaker Cura 3D printer slicer program from here (https://github.com/Ultimaker/Cura/releases/tag/5.1.0) onto Linux Ubuntu 20.04.

I downloaded these 2 files:

Ultimaker-Cura-5.1.0-linux-modern.AppImage Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc

Opening the .asc file in a text editor shows it contains:

-----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEGInq7S25O/ff+zymwaG5EGnEr1kFAmLWpkEACgkQwaG5EGnE r1necwgAwO8fqUtXicpJPiIXeFR6L3a2cTc/hLgTgk4Bw8Ey5LKiQyeIsDd3r/vZ tGiMsb4TrG8WuGIvidBoubuamnIdy2zKyy8Gk1e+MiIgfIWdWIl7KuX/K3GY0oyV H5rfQWv/g4hCHsDXRpElva79p6W6DYvgdSGeNTpjaeGmLT29OcXCP4wPvSN4izsi 9AU+0DOdq204ZeiGKboXpdPdkWXeyuMJHFdvTlOZVZSb0Ib0zZugSmWYLo8fvK2p 8mrqPMdLu7BMS9ZS/wGrxRfVyOwxk72xuPjGXsrcPXWHtAF5OjvzvCPUzGfnDN10 fVF3+MKS79PQOEYXwAi2hixPCReWNA== =12yS -----END PGP SIGNATURE-----

How do I use this .asc signature file to check the main file?

I read this page, and the last example seems to apply: https://www.gnupg.org/gph/en/manual/x135.html

So I tried this:

gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage

...and I got the following error, as shown in my run output:

~/Downloads/Install_Files/Cura$ gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage gpg: Signature made Tue 19 Jul 2022 05:40:33 AM MST gpg: using RSA key 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59 gpg: Can't check signature: No public key

I tried following the solution in this answer, using the RSA key hash printed in the previous output above, and it doesn't work either:

$ gpg --receive-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59 gpg: keyserver receive failed: Server indicated a failure

I'm looking around: Google search for "ultimaker public key"

Related

  1. My question: Which AppImage should I install (.AppImage vs modern.AppImage)?
Improve this question

1 Answer 1

Reset to default
2

You're getting that error ("Can't check signature: No public key") because you need to first add the public key to your local keyring.

It looks like the Ultimaker folks aren't really all that familiar with signing things, because nowhere in their repository do they publish their signing key or indicate where you can find it.

There's an issue about this from a few years back, where GitHub user "LipuFei" comments:

The public key is now on the public key servers.

$ gpg --keyserver pgp.mit.edu --recv-keys C1A1B91069C4AF59 gpg: /home/l.fei/.gnupg/trustdb.gpg: trustdb created gpg: key C1A1B91069C4AF59: public key "Ultimaker Build Server <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1

If you run that command to import the public you, you will then be able to verify your Download using the .asc signature file. Note that this example is using the key ID, C1A1B91069C4AF59, but you can also use the key fingerprint, 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59, and you'll get the same key.

Update

Running gpg --keyserver pgp.mit.edu --recv-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59 works for me without an error; the resulting key is:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFjve7ABCADfGQZcKIGC4eQFVE4yd1Mlft4n2wStUb7KBx3s4DX6WV6pF1/p jKQpeFwa31IbjLEqQ+ulT9pEKAW5NQTMY+snPKL8kHOqWrseXRbaVeuimZmbdU1F CNDYYyGYUc8vZw7N+gG7Sbwr3iE2rN4NHZdDj/LR9CJeGkl83pc4u0ikJyp+vU0J wHKRMnY3XofuOHDOj/lew3jeNI4CBbtYHO01D1tP5HPRqQNdpsn9cWFmEKwypnGa CmkAtgk8Afm1h7FsNktfOSlL6AHm/aQmEiTwEunWjqcJSOcf5xk1f5564k0zlSxW fIyawnAKYEow6DKsKnJL9LVgdiMQGwvc8ft5ABEBAAG0L1VsdGltYWtlciBCdWls ZCBTZXJ2ZXIgPG1vbm9saXRoQHVsdGltYWtlci5jb20+iQE4BBMBAgAiBQJY73uw AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDBobkQacSvWZhCB/9dLHEI ebVQe3gA7vhk/fTDM0z32gJnGHqxgRc58iWvmPuCJdYvuzzEc1B6QF9mA38h45EV 70/Yt4iR9s7rcpyxp4h2qP1gA7W6OE257bUp2VGgp6FLqS0YXyUtj9QfAJwVAwGZ 3o8o/TiUCNO2S1QEyoCn0dTlbfb7/ht0PFb5Ez6DQSX4ArgEp95PPHez73DBiTix 00H+7OLeZG1eMAFrQw8VLSE/foSPqftXTx6l4Gi8/w4vWwLv4gsNrOdweKjyNkek xWcrWLb+QFrLYlKoc4Hhr74YyqQ92omlkTFBef4v3Uqc2+UmGAMlif47eC9DJGwt KwJyB3Jcj3J+W9qEuQENBFjve7ABCAC7zGl/bPHp0ywV+B5g1/iWKbn2Xjedt/be t9EUn4hsuVetcJkw2Hfdxis/SCQIOMpkvGq3CfF+HHReP7Fj5fSRo07DmBN8PHqF +XiJLZQTitCZWak6JpLzxy/l5z0bzHDVAiRBHj2rsDkQ+JDgalPypRGivMsIzOD3 XeIixb8RcUkRxgEqItfOeui4i512KE3OTg7DEub4tMKkdJ1e1iOrBBdtP8cKSKt1 MZt3xiljkA6gRZTjP1HTB4kLfg2PQ73gZMa1inXto8g7bt20L7zWBzKhlanprxRS NdFi/5iaC8EQzi1dEkCowaWZpUGAh2DGGPaZpo+NDqiUhOb782vzABEBAAGJAR8E GAECAAkFAljve7ACGwwACgkQwaG5EGnEr1nWCQf/VUPATUNRwWsw0WB4fa5aepQi 305mpRmSFHj46wPiKLYwkndoK6p6tVYA1O3315ObhzkwZog4t2rADl1mpE8lxsKo fU8c6Ft81YuIf91BF096elVAc3/2/p0uKlEJnsTAamkn4MSZLHXJLmGt4Y2ma756 HFZ81VdLI8XpVWlLow6eaTCrPd8J34f+T4bgqRCoPwRjUlrQsqVprMfSmebwfcza dN5OiX9J+0JSZ3e2/9qLGhmyk2CxM22GluLuoP79mV65TH0g/MRtz46ct3f7ECKi iQ4m4xdHr6vCcN6M240qqn9ItCVeAwBCIPJgLtmr52mrQ5NC7b8NU44zQs/8gw== =o+pH -----END PGP PUBLIC KEY BLOCK-----

But there is no reason for you to trust this key. Because neither the key, nor the fingerprint, nor the key id is published by the project in any official location, there's no reason for you to trust the key. Yes, it matches the key used to signed the file, but is this actually a key used by the project, or was it a clever hacker? I mean, sure, it's probably the right key, but the way the project is using it isn't particularly useful for anything other than checking if your download was somehow corrupted in transit.

Improve this answer
7
  • Thank you. I just saw that post too, right before you posted it. I'm getting this error though. My command: gpg --keyserver pgp.mit.edu --recv-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59. Error: gpg: keyserver receive failed: Server indicated a failure. Is it working for you? Commented Jul 31, 2022 at 23:54
  • larsks, this may help you help me: cloudsmith.io/~ultimaker/repos/cura-public/signing (I'm not sure what to do with this though, yet) Commented Jul 31, 2022 at 23:56
  • Manually going to this page (pgp.mit.edu) and copy-pasting the key as a search string returns no results too. No results found No results found: No keys found Commented Jul 31, 2022 at 23:59
  • I've updated the answer to address your question. Commented Aug 1, 2022 at 0:04
  • 1
    I'm on Linux (fedora 35) with gpg version 2.3.4. It looks like 2.2.19 is a few years old. Commented Aug 1, 2022 at 0:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.