You are not logged in.

#1 2020-05-19 05:45:14

Aijalon
Member
Registered: 2017-05-18
Posts: 14

Trouble verifying helium iso download - gpg missing keys

I downloaded the iso for helium today. When I tried importing the signature, I get an error about missing keys.

$ gpg --import <(wget -qO- https://ddl.bunsenlabs.org/ddl/BunsenLabs-RELEASE.asc)
gpg: key A0673F72FE62D9C5: 2 signatures not checked due to missing keys
gpg: key A0673F72FE62D9C5: "Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

How do I fix the missing keys so that I can verify the gpg signature for the iso file?

Offline

#2 2020-05-19 06:14:12

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,811
Website

Re: Trouble verifying helium iso download - gpg missing keys

The missing key error is not important (it refers to other built-in keys than the BL release signing key) - the signing key was already imported in your system, hence the "unchanged" message.

To use your gpg key to verify the iso you now need to download the PGP .sig file from the link on the right, then run the command on the BL install page. eg for the amd64 iso, assuming it and the sig are in the same directory, I get this result:

$ gpg --verify helium-5-amd64.hybrid.iso.sig helium-5-amd64.hybrid.iso
gpg: Signature made Wed 10 Jul 2019 02:22:59 JST
gpg:                using RSA key 3172478405227490BBB743E6A0673F72FE62D9C5
gpg: Good signature from "Jens John (BunsenLabs Repository Signing Key) <dev@2ion.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3172 4784 0522 7490 BBB7  43E6 A067 3F72 FE62 D9C5

A simpler way to verify the iso file is to run:

sha256sum <filename>.iso

and compare the result with the published sha256 sum on the webpage.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#3 2020-05-19 15:03:17

Aijalon
Member
Registered: 2017-05-18
Posts: 14

Re: Trouble verifying helium iso download - gpg missing keys

Ok, so I tried running gpg.

$ gpg --verify BunsenLabs-RELEASE.asc helium-5-amd64.hybrid.iso 
gpg: verify signatures failed: Unexpected error

I figured that this "unexpected error" was related to the missing keys. Perhaps it is due to something else.

I did successfully verify the download with sha256sum.

Thank you for the help!

Offline

#4 2020-05-19 15:23:56

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,780

Re: Trouble verifying helium iso download - gpg missing keys

Aijalon wrote:

Ok, so I tried running gpg.

$ gpg --verify BunsenLabs-RELEASE.asc helium-5-amd64.hybrid.iso 
gpg: verify signatures failed: Unexpected error

I figured that this "unexpected error" was related to the missing keys. Perhaps it is due to something else.

I did successfully verify the download with sha256sum.

Thank you for the help!

You must specify the detached .sig file and the standalone file to be checked against the signature, not the key and the standalone file.


Per aspera ad astra.

Offline

Board footer

Powered by FluxBB