Yesterday I wanted to install a proprietary git GUI (😞) called gitkraken on manjaro linux but ended up learning something completely different, because Gitkraken depends on libcurl-openssl-1.0, which would not build due to a failure of a call to the gpg command:

==> Verifying source file signatures with gpg...
    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)
==> ERROR: One or more PGP signatures could not be verified!

So anyways I did some googling and found lots of answers containing the word "OpenPGP". Note how the g and p are inverted between OpenPGP and gpg, but that is fine because gpg stands for gnupg which is an implementation of the OpenPGP standard.

Moving on, I quickly found a solution that made the problem go away:

gpg --recv-keys 5CC908FDB71E12C2

But wait a minute, what just happened? Is this even the right public key? Where does it come from? Would it be safe to add this to the PKGBUILD file? (oh dear)

It turns out yes, it probably is the right key, and you can verify it like this:

$ gpg --list-keys                                            
~/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2016-04-07 [SC]
      27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
uid           [ unknown] Daniel Stenberg <daniel@haxx.se>
sub   rsa2048 2016-04-07 [E]

When I go to Daniel Stenberg's Website, download his GPG keys, calculate the signature from that and compare them, one of them match with 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2.

GPG knows a concept called key id which is different (shorter) than the key fingerprint as explained in this thread. So that explains the mysterious 5CC908FDB71E12C2. And what gpg does when you run it with --recv-keys is going around asking on various keyservers in a web-of-trust architecture such as pgp.mit.edu for a key with the ID or fingerprint after the flag and then downloads the key it finds. To host a keyserver, you can run the gpg command with some flags.

To be honest, that whole deal feels a little scary to me, but at least there is some sort of public key signing and verification going on when I install stuff with yaourt, so that's nice.