search

subgraph / subgraph-os-issues

Subgraph OS issues repository
73 stars 10 forks source link

Error verifying Subgraph download: key is not certified with a trusted signature #249

Closed xmbwd closed 7 years ago

xmbwd commented 7 years ago

I seem to be unable to verify the download. I am getting a key is not certified with a trusted signature! error. I followed the instructions here to: 

gpg --recv-key B55E70A95AC79474504C30D0DA11364B4760E444
# You can also get the fingerprint in the title of our IRC channel!

But that simply throws the error: 

gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI

So, realizing that I need to specify the keyserver and noting from here that mit is an available keyserver, I tried: gpg --recv-key --keyserver pgp.mit.edu B55E70A95AC79474504C30D0DA11364B4760E444

and got: 

gpg: requesting key 4760E444 from hkp server pgp.mit.edu
gpg: key 4760E444: "Subgraph Release Signing Key <release@subgraph.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Then to verify: gpg --verify subgraph-os-alpha_2016-12-30_1.iso.sha256.sig subgraph-os-alpha_2016-12-30_1.iso.sha256

But this returns: 

gpg: Signature made Fri 30 Dec 2016 01:16:21 PM PST using RSA key ID F999D968
gpg: Good signature from "Subgraph Release Signing Key <release@subgraph.com>"
**gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.**
Primary key fingerprint: B55E 70A9 5AC7 9474 504C  30D0 DA11 364B 4760 E444
     Subkey fingerprint: AB6C 7E34 4F63 3E10 4377  D595 E1AE 39C4 F999 D968

I also tried to verify the key using the keys.gnupg.net keyserver, but that doesn't work either: 

gpg --recv-key --keyserver keys.gnupg.net B55E70A95AC79474504C30D0DA11364B4760E444
gpg: requesting key 4760E444 from hkp server keys.gnupg.net
gpgkeys: key B55E70A95AC79474504C30D0DA11364B4760E444 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper general error
gpg: keyserver communications error: unknown pubkey algorithm
gpg: keyserver receive failed: unknown pubkey algorithm

I can only assume I am doing something wrong, but it looks to be the correct procedure.

xSmurf commented 7 years ago

This seems fine, you don't have a trust path nor have signed the key, but the signature is correct. Verify the fingerprint from our website, and/or the irc channel. As described by the output:

gpg: Good signature from "Subgraph Release Signing Key <release@subgraph.com>"