search

ethereumproject / go-ethereum

Go language implementation of the original/classic design of the Ethereum protocol
GNU Lesser General Public License v3.0
443 stars 166 forks source link

Cannot gpg verify 5.5.1 #670

Closed r3lik closed 6 years ago

r3lik commented 6 years ago

I get an error when attempting to gpg --verify:

root@fullnode3:~/fullnodes/etc/docker# gpg --import isaac.ardis@gmail.com
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 7419D94C: public key "Isaac Ardis (ETCDEV Go Developer) <isaac.ardis@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
root@fullnode3:~/fullnodes/etc/docker# gpg --import isaac.ardis@gmail.com^C
(reverse-i-search)`verify': gpg --^Crify signatures-v5.5.1-8a3bc2d.tar
root@fullnode3:~/fullnodes/etc/docker# ls
Dockerfile                                    geth-classic-linux-v5.5.1-8a3bc2d.zip.asc   geth-classic-osx-v5.5.1-8a3bc2d.tar.gz.sig  geth-classic-win64-v5.5.1-8a3bc2d.zip.asc  signatures-v5.5.1-8a3bc2d.tar
geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.asc  geth-classic-linux-v5.5.1-8a3bc2d.zip.sig   geth-classic-osx-v5.5.1-8a3bc2d.zip.asc     geth-classic-win64-v5.5.1-8a3bc2d.zip.sig
geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.sig  geth-classic-osx-v5.5.1-8a3bc2d.tar.gz.asc  geth-classic-osx-v5.5.1-8a3bc2d.zip.sig     isaac.ardis@gmail.com
root@fullnode3:~/fullnodes/etc/docker# gpg --verify geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.asc
gpg: no signed data
gpg: can't hash datafile: file open error
root@fullnode3:~/fullnodes/etc/docker# gpg --verify geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.sig
gpg: no signed data
gpg: can't hash datafile: file open error
root@fullnode3:~/fullnodes/etc/docker# gpg --verify geth-classic-linux-v5.5.1-8a3bc2d.zip.asc
gpg: no signed data
gpg: can't hash datafile: file open error
whilei commented 6 years ago

@tzdybal released 5.5.1, so you'll have to import and verify against his key instead of mine.

And you'll want to have the signature file (.asc) adjacent to the .tar.gz that you want to verify.

Try:

# With git cloning the volunteer repo with GPG keys:
$ git clone https://github.com/ethereumproject/volunteer.git
$ gpg --import Volunteer-Public-Keys/tomek@zdybal.lap.pl
# This way, to avoid having to import specific individual keys, you can import all volunteer keys at once. This won't reset or change any keys that you have already imported.
$ gpg --import ./Volunteer-Public-Keys/*

# With wget
$ wget https://raw.githubusercontent.com/ethereumproject/volunteer/master/Volunteer-Public-Keys/tomek%40zdybal.lap.pl.pub
$ gpg --import tomek@zdybal.lap.pl.pub

# Download build:
$ wget https://github.com/ethereumproject/go-ethereum/releases/download/v5.5.1/geth-classic-linux-v5.5.1-8a3bc2d.tar.gz
# Download sigs:
$ wget https://github.com/ethereumproject/go-ethereum/releases/download/v5.5.1/signatures-v5.5.1-8a3bc2d.tar
# Extract all signatures from tar file:
$ tar -xf signatures-v5.5.1-8a3bc2d.tar
# Verify:
$ gpg --verify geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.asc
gpg: assuming signed data in 'geth-classic-linux-v5.5.1-8a3bc2d.tar.gz'
gpg: Signature made Fri 03 Aug 2018 07:17:19 AM CDT
gpg:                using DSA key 86C9E79D83B626AE95548DC3F157D3BD6E2EED66
gpg: Good signature from "Tomasz Zdybał (personal) <tomek@zdybal.lap.pl>" [unknown]
gpg:                 aka "Tomasz Zdybał (Jabber only) <tomekzet@jid.pl>" [unknown]
gpg:                 aka "Tomasz Zdybał (Jabber only) <tomekzet@jabster.pl>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 86C9 E79D 83B6 26AE 9554  8DC3 F157 D3BD 6E2E ED66
r3lik commented 6 years ago

I was able to verify with gpg --import tomek@zdybal.lap.pl.pub and gpg --verify geth-classic-linux-v5.5.1-8a3bc2d.tar.gz.asc.

Verifying with after having imported all volunteer keys threw this:

gpg: Total number processed: 46
gpg:               imported: 45  (RSA: 43)
gpg:              unchanged: 1
gpg: no ultimately trusted keys found
whilei commented 6 years ago

@r3lik https://trog.qgl.org/20091030/troubleshooting-gnupg-gpg-no-ultimately-trusted-keys-found/

This isn't an error, it's just a 'status update' from GPG telling you that you haven't defined or imported keys that you've declared as "ultimately trusted." Keys with ultimate trust are typically your own or close relations'.

whilei commented 6 years ago

Closing as resolved.

Thanks for your doing your due diligence, Mike.