Yesterday I wanted to install a proprietary git GUI (😞) called gitkraken on manjaro linux but ended up learning something completely different, because Gitkraken depends on libcurl-openssl-1.0, which would not build due to a failure of a call to the
==> Verifying source file signatures with gpg... curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2) ==> ERROR: One or more PGP signatures could not be verified!
So anyways I did some googling and found lots of answers containing the word "OpenPGP". Note how the g and p are inverted between OpenPGP and
gpg, but that is fine because
gpg stands for gnupg which is an implementation of the OpenPGP standard.
Moving on, I quickly found a solution that made the problem go away:
gpg --recv-keys 5CC908FDB71E12C2
But wait a minute, what just happened? Is this even the right public key? Where does it come from? Would it be safe to add this to the
PKGBUILD file? (oh dear)
It turns out yes, it probably is the right key, and you can verify it like this:
$ gpg --list-keys ~/.gnupg/pubring.kbx -------------------------------- pub rsa2048 2016-04-07 [SC] 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 uid [ unknown] Daniel Stenberg <email@example.com> sub rsa2048 2016-04-07 [E]
When I go to Daniel Stenberg's Website, download his GPG keys, calculate the signature from that and compare them, one of them match with
GPG knows a concept called key id which is different (shorter) than the key fingerprint as explained in this thread. So that explains the mysterious
5CC908FDB71E12C2. And what
gpg does when you run it with
--recv-keys is going around asking on various keyservers in a web-of-trust architecture such as pgp.mit.edu for a key with the ID or fingerprint after the flag and then downloads the key it finds. To host a keyserver, you can run the
gpg command with some flags.
To be honest, that whole deal feels a little scary to me, but at least there is some sort of public key signing and verification going on when I install stuff with
yaourt, so that's nice.