You are not logged in.
I downloaded the iso for helium today. When I tried importing the signature, I get an error about missing keys.
$ gpg --import <(wget -qO- https://ddl.bunsenlabs.org/ddl/BunsenLabs-RELEASE.asc)
gpg: key A0673F72FE62D9C5: 2 signatures not checked due to missing keys
gpg: key A0673F72FE62D9C5: " (BunsenLabs Repository Signing Key) <>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
How do I fix the missing keys so that I can verify the gpg signature for the iso file?
Offline
The missing key error is not important (it refers to other built-in keys than the BL release signing key) - the signing key was already imported in your system, hence the "unchanged" message.
To use your gpg key to verify the iso you now need to download the PGP .sig file from the link on the right, then run the command on the BL install page. eg for the amd64 iso, assuming it and the sig are in the same directory, I get this result:
$ gpg --verify helium-5-amd64.hybrid.iso.sig helium-5-amd64.hybrid.iso
gpg: Signature made Wed 10 Jul 2019 02:22:59 JST
gpg: using RSA key 3172478405227490BBB743E6A0673F72FE62D9C5
gpg: Good signature from " (BunsenLabs Repository Signing Key) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3172 4784 0522 7490 BBB7 43E6 A067 3F72 FE62 D9C5
A simpler way to verify the iso file is to run:
sha256sum <filename>.iso
and compare the result with the published sha256 sum on the webpage.
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
Ok, so I tried running gpg.
$ gpg --verify BunsenLabs-RELEASE.asc helium-5-amd64.hybrid.iso
gpg: verify signatures failed: Unexpected error
I figured that this "unexpected error" was related to the missing keys. Perhaps it is due to something else.
I did successfully verify the download with sha256sum.
Thank you for the help!
Offline
Ok, so I tried running gpg.
$ gpg --verify BunsenLabs-RELEASE.asc helium-5-amd64.hybrid.iso gpg: verify signatures failed: Unexpected error
I figured that this "unexpected error" was related to the missing keys. Perhaps it is due to something else.
I did successfully verify the download with sha256sum.
Thank you for the help!
You must specify the detached .sig file and the standalone file to be checked against the signature, not the key and the standalone file.
Offline