Home / server / Questions / 960268
Accepted
fadedbee
Asked: 2019-03-28 06:33:20 +0800 CST

How do I successfully import public key 94532124541922FB into GPG?

  • 772

I think I need to have the key 94532124541922FB in my keyring as multistrap is reporting:

W: GPG error: http://packages.roundr.devuan.org/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 94532124541922FB
W: The repository 'http://auto.mirror.devuan.org/merged ascii InRelease' is not signed.

I tried importing the key using:

user@host:~/multistrap$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 94532124541922FB
Executing: /tmp/apt-key-gpghome.wsOOsj4iqi/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 94532124541922FB
key 94532124541922FB:
1 signature not checked due to a missing key
gpg: key 94532124541922FB: "Devuan Repository (Primary Devuan signing key) <[email protected]>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1

I wasn't sure if this was successful, so I tried:

user@host:~/multistrap$ gpg --list-keys
/home/user/.gnupg/pubring.kbx
--------------------------------
pub   rsa3072 2019-03-25 [SC] [expires: 2021-03-24]
      579B175CD95705FB9A6C3D271587404115319AFF
uid           [ultimate] User <[email protected]>
sub   rsa3072 2019-03-25 [E] [expires: 2021-03-24]

Which makes me think it has failed.

How do I get the key 94532124541922FB?

Update: I have discovered that apt-key has a different keyring from GPG and that GPG has different keyrings dependent on whther you're using sudo.

The key is there, with apt-key:

user@host:~/multistrap$ sudo apt-key adv --list-keys
Executing: /tmp/apt-key-gpghome.12skPKfRJz/gpg.1.sh --list-keys
/tmp/apt-key-gpghome.12skPKfRJz/pubring.gpg
-------------------------------------------
...
pub   rsa2048 2014-12-02 [SC]
      72E3CB773315DFA2E464743D94532124541922FB
uid           [ unknown] Devuan Repository (Primary Devuan signing key) <[email protected]>
sub   rsa2048 2014-12-02 [E]
sub   rsa4096 2016-04-26 [S]

pub   rsa4096 2016-10-06 [SC]
      CF1921B2D91C6435848E810099C46A90B1FB3B59
uid           [ unknown] Devuan ISO Toaster (Devuan GNU+Linux) <[email protected]>
sub   rsa4096 2016-10-06 [E]

pub   rsa4096 2017-09-04 [SC] [expires: 2022-09-03]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid           [ unknown] Devuan Repository (Amprolla3 on Nemesis) <[email protected]>
sub   rsa4096 2017-09-04 [E] [expires: 2022-09-03]

but still multistrap complains:

user@host:~/multistrap$ sudo multistrap -a armhf -d /multistrap-devuan-ascii -f simple-config
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
multistrap 2.2.9 using simple-config
multistrap 2.2.9 using simple-config
Defaulting architecture to native: armhf
multistrap building armhf multistrap on 'armhf'
I: Downloading debian-archive-keyring 
Get:1 http://packages.roundr.devuan.org/merged ascii/main armhf debian-archive-keyring all 2017.5 [56.4 kB]
Fetched 56.4 kB in 0s (67.5 kB/s)           
Getting package lists: APT_CONFIG=/tmp/multistrap.QTx1QB apt-get  -o Apt::Architecture=armhf -o Dir::Etc::TrustedParts=/multistrap-devuan-ascii/etc/apt/trusted.gpg.d -o Dir::Etc::Trusted=/multistrap-devuan-ascii/etc/apt/trusted.gpg -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/multistrap-devuan-ascii/ -o Dir::Etc=/multistrap-devuan-ascii/etc/apt/ -o Dir::Etc::Parts=/multistrap-devuan-ascii/etc/apt/apt.conf.d/ -o Dir::Etc::PreferencesParts=/multistrap-devuan-ascii/etc/apt/preferences.d/ -o APT::Default-Release='*' -o Dir::State=/multistrap-devuan-ascii/var/lib/apt/ -o Dir::State::Status=/multistrap-devuan-ascii/var/lib/dpkg/status -o Dir::Cache=/multistrap-devuan-ascii/var/cache/apt/ update
Get:1 http://packages.roundr.devuan.org/merged ascii InRelease [21.9 kB]
Ign:1 http://packages.roundr.devuan.org/merged ascii InRelease
Fetched 21.9 kB in 0s (34.5 kB/s)
Reading package lists... Done
W: GPG error: http://packages.roundr.devuan.org/merged ascii InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 94532124541922FB
W: The repository 'http://auto.mirror.devuan.org/merged ascii InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
gpg

1 Answers

  1. Best Answer

    The problem is that multistrap is only trusting keys in /multistrap-devuan-ascii/etc/apt/trusted.gpg.d in the target directory.

    When multistrapping Debian, this directory is filled with files extracted from the debian-archive-keyring package.

    This package is specified as keyring in simple-config:

    [General]
unpack=true
bootstrap=Debian
aptsources=Debian

[Debian]
packages=
source=http://ftp.uk.debian.org/debian
keyring=debian-archive-keyring
suite=lenny

    As I am installing Devuan (a systemd-less Debian fork), my simple-config looks like:

    [General]
unpack=true
bootstrap=Devuan
aptsources=Devuan

[Devuan]
packages=
source=http://auto.mirror.devuan.org/merged
keyring=
suite=ascii

    The debian-archive-keyring package does exist in Devuan, but only has Debian keys, not the missing Devuan key. There is no devuan-archive-keyring.

    So it looks like I need to make a devuan-archive-keyring package which contains the Devuan public key.

    (I've confirmed that this will work, by placing repository-devuan-org.gpg in /multistrap-devuan-ascii/etc/apt/trusted.gpg.d/ after a failed multistrap run. ON second invocation multistrap then runs without errors.)

    Follow-on question: What is the Devuan equivalent of the Debian debian-archive-keyring package?

    • 3