gpg: Can't check signature: No public key, keyserver search failed: Not found

[petjal]

From https://github.com/iancoleman/bip39/releases https://github.com/iancoleman/bip39/releases/download/0.5.4/bip39-standalone.html https://github.com/iancoleman/bip39/releases/download/0.5.4/signature.txt.asc

.../iancoleman/bip39 $ gpg --verify signature.txt.asc
gpg: Signature made 2021-10-18 19:07:56 -0400 EDT
gpg:                using RSA key 5AD5C88083708E93A2966FF49FF1B58CA7B9E6A5
gpg:                issuer "ian@iancoleman.io"
gpg: Can't check signature: No public key

.../iancoleman/bip39 $ gpg --search A7B9E6A5
gpg: data source: https://162.213.33.8:443
gpg: key "A7B9E6A5" not found on keyserver
gpg: keyserver search failed: Not found

.../iancoleman/bip39 $ gpg --search 0xA7B9E6A5
gpg: data source: https://162.213.33.8:443
gpg: key "0xA7B9E6A5" not found on keyserver
gpg: keyserver search failed: Not found

.../iancoleman/bip39 $ gpg --search ian@iancoleman.io
gpg: data source: https://162.213.33.8:443
(1)     Ian Coleman <ian@iancoleman.io>
        Ian Coleman <coleman.ian@gmail.com>
          4096 bit RSA key B89A317AB798EB23, created: 2017-07-18
Keys 1-1 of 1 for "ian@iancoleman.io".  Enter number(s), N)ext, or Q)uit > 1
gpg: key B89A317AB798EB23: "Ian Coleman <ian@iancoleman.io>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

.../iancoleman/bip39 $ gpg --verify signature.txt.asc
gpg: Signature made 2021-10-18 19:07:56 -0400 EDT
gpg:                using RSA key 5AD5C88083708E93A2966FF49FF1B58CA7B9E6A5
gpg:                issuer "ian@iancoleman.io"
gpg: Can't check signature: No public key

[k0k0b34n]

I was able to get the public key here: https://iancoleman.io/pubkey.txt

[iancoleman]

@k0k0b34n beat me to it; I updated my key since the last release. The new key is available at https://iancoleman.io/pubkey.txt

[petjal]

Thanks, folks.

Is there a process of some sort in which you sign your new key with your old key or something like that?

I notice this week's release wasn't github verified? Is that related?

Thanks, again. Great project.

[iancoleman]

Is there a process of some sort in which you sign your new key with your old key or something like that?

Normally yes but I've lost access to the old key so unfortunately can't do that in this situation.

I notice this week's release wasn't github verified?

Not sure what this means, can you clarify? Where do I see the 'verified' (or not) status of a release?

[petjal]

Not that I really know anything about any of this, but to those listening, when a signature changes, warning alarms should go off. Maybe there's another way we can prove chain of custody across the releases?

https://gist.github.com/Beneboe/3183a8a9eb53439dbee07c90b344c77e

Bitcoin is gonna change the world, this is important stuff, so we all need to be stupid careful.

[petjal]

diff_bip39-standalone_0.5.3_0.5.4.html.txt

Doesn't look like Ian's kidnappers have done anything too malicious between 0.5.3 and 0.5.4.

[petjal]

.../iancoleman/bip39 $ curl -s https://iancoleman.io/pubkey.txt | gpg --import
gpg: key 9FF1B58CA7B9E6A5: "Ian Coleman <ian@iancoleman.io>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

.../iancoleman/bip39 $ curl -s -L -O https://github.com/iancoleman/bip39/releases/download/0.5.4/signature.txt.asc

.../iancoleman/bip39 $ gpg --verify signature.txt.asc
gpg: Signature made 2021-10-18 19:07:56 -0400 EDT
gpg:                using RSA key 5AD5C88083708E93A2966FF49FF1B58CA7B9E6A5
gpg:                issuer "ian@iancoleman.io"
gpg: Good signature from "Ian Coleman <ian@iancoleman.io>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5AD5 C880 8370 8E93 A296  6FF4 9FF1 B58C A7B9 E6A5

.../iancoleman/bip39 $ cat signature.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

sha256sum bip39-standalone.html
8b8e3c1be03501f57e395781de8a59fd553808e1eb1278710bd7b96dacb6d0f6
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEWtXIgINwjpOilm/0n/G1jKe55qUFAmFt/kwSHGlhbkBpYW5j
b2xlbWFuLmlvAAoJEJ/xtYynuealqnQQAJg2rxxJKJpDMmHmhc29uGPlt2eAy23G
DcGbCRwjJmQVB0GwxHXuvgyNIIWOwfaIVG5uAF3hMXi3cNhdyoAzKnabjoGlVjDL
txxqvbY3vUvnOjgLXNc5mjxfx2PXakYqLNLHccFtybRayHSg2l7XhmJeI0ahsKlf
EeBw9HXY3MVhCxmEkTyHmrsiiwwqbDKzNt6MLfuuL9usl7MdaI5xIobMsh4t3ggd
NAwzr61j3bka/ar728DIHC/CnCuUmn5Je25xPKdIZkNuT+oZfKnXRW/j93MvyXI3
RJqite9uaPCbj7W2UN2fs7opW7mrPc5qfWSuRdiJ27aH43Pz2QfKQV8pvjJTCS8s
uTCcoOn1N2CFw8GvG69E8xTayhAYyZBA8JfZl7bwHztk0NTs9KP7SkeLbvYliA/f
7+XCyKsx2s9xssS1JpfUp+AbYgWCl/dg4Ncm57CvvCA2+24T42o2SRVA//vrAsF8
TUP47mCYNwuDB2SjzxVG92LXQx8tqM8AVN6DSJ6OeN43Oqg+Uy/wEQ+VTQVNYg0k
rEAJG0kdpntyFQyYDfDg6mpkoD4710ygKXttlNnGbq5MXN9Ank2e57AJf7xmYnFu
AuE/S0M2M4Z6hdLegSbPRCfA2bnnUS626uJBcIPBSRtiVYNI4kGQB1T9GalMkZph
hNxLbx8GLuhr
=ICYM
-----END PGP SIGNATURE-----

.../iancoleman/bip39 $ sha256sum bip39-standalone.html
8b8e3c1be03501f57e395781de8a59fd553808e1eb1278710bd7b96dacb6d0f6  bip39-standalone.html

[petjal]

.../iancoleman/bip39 $ gpg --list-sigs 5AD5C88083708E93A2966FF49FF1B58CA7B9E6A5
pub   rsa4096 2021-10-11 [SC]
      5AD5C88083708E93A2966FF49FF1B58CA7B9E6A5
uid           [ unknown] Ian Coleman <ian@iancoleman.io>
sig 3        9FF1B58CA7B9E6A5 2021-10-11  Ian Coleman <ian@iancoleman.io>
sub   rsa4096 2021-10-11 [E]
sig          9FF1B58CA7B9E6A5 2021-10-11  Ian Coleman <ian@iancoleman.io>

Any chance we can get @7h3v01c3 (or other recent github verified committer) to sign your key?

[petjal]

(reminding myself that I should probably find or re-create my revocation certificate...found it, phew)