Ok why it doesn't want to use this key

[yhyh66]

I'm trying to verify a file. I did it before and it worked. But now it only says "Can't check signature: No public key"

Code: Select all

gpg --verify hashes-exodus-21.10.11.txt
gpg: Signature made Tue 12 Oct 2021 07:54:47 AM CEST
gpg:                using RSA key 926DC59FBB75B328
gpg: Can't check signature: No public key

I received key from the server

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-keys 4CE260E8D65DF43CE88D25F212DC27133D25FAFA
gpg: key 12DC27133D25FAFA: "Exodus <keybase@exodus.io>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

And imported it manually

Code: Select all

gpg --import pgp_keys.asc
gpg: key 12DC27133D25FAFA: "Exodus <keybase@exodus.io>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

It didn't change anything

[rene]

You are importing a wrong key. As per https://downloads.exodus.com/releases/h ... .10.11.txt,

Code: Select all

$ wget https://downloads.exodus.com/releases/hashes-exodus-21.10.11.txt
[ ... ]
$ wget -O pgp_keys.asc https://keybase.io/exodusmovement/pgp_keys.asc?fingerprint=ef2ccd36c16a8b90da1932e0926dc59fbb75b328
[ ... ]
$ gpg --import pgp_keys.asc 
gpg: key 926DC59FBB75B328: public key "Exodus Movement Inc <support@exodus.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify hashes-exodus-21.10.11.txt
gpg: Signature made di 12 okt 2021 07:54:47 CEST
gpg:                using RSA key 926DC59FBB75B328
gpg: Good signature from "Exodus Movement Inc <support@exodus.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF2C CD36 C16A 8B90 DA19  32E0 926D C59F BB75 B328

[yhyh66]

Now it works, with key imported from link in the file. Two questions tho:

1. Why did it say "no public key" instead of failing verification using the wrong key?

2. What's the point of verification of this file if the key comes from the very file as well? Isn't the key supposed not to change so that you can use it as a proof that subsequent versions comes from the same source?

[t42]

1. Why did it say "no public key" instead of failing verification using the wrong key?

Verification can't fail because there is no key to verify signed data.
In case signed data are corrupted and the key is available then "it say" that verification failed.

GPG never using the wrong key, but you can import some unnecessary key.

[t42]

the key comes from the very file as well?

The signature is derived from the specific file using the key.

[rene]

As to first, simply because indeed it didn't have the (right) public key; you had the public key for "Exodus <exodus@keybase.io>" whereas the file was signed with the private key for "Exodus Movement Inc <support@exodus.com>". There is no way for gpg (or for that matter, me) to know that former has any relation to latter.

As to second, not a lot of point indeed; I was here just pointing out that you used a wrong pubkey; did try grabbing the key from keyserver.ubuntu.com via fingerprint first but it's not there. As to why not and/or as to other trusted sources for the pubkey you'd need to ask support@exodus.com.

[yhyh66]

I mean the information as to what key to use comes from the file that is supposed to be verified, so like both can be fake as well. I thought the whole, or at least big part of this security using pgp, comes from the key being a constant thing.
edit:this is supposed to be answer for t42

[yhyh66]

There is no way for gpg (or for that matter, me) to know that former has any relation to latter.

Looks like it has: https://keybase.io/exodusmovement. So it seems that the source of my confusion is them using two public keys.

you had the public key for "Exodus <exodus@keybase.io>"

Did you mean <keybase@exodus.io>?

[rene]

Yes, I did mean [ ... ].

Only as a very slight note by the way, "not a lot of point" wasn't to say entirely no point necessarily. The hashes file came from downloads.exodus.com and the pubkey from keybase.io, both with https. I.e., if you'd have reason to trust that both sites were at least in theory legit and connected although separate, you'd have to assume both to be hacked to get you that matching pair.

Definitely not going to find out if there's any such reason to myself but did notice the two separate locations. Of course, if latter can not be trusted to be legit etc. it's a red flag instead --- but you get to decide that