Home / ubuntu / Questions / 1103378
Accepted
Display name
Asked: 2018-12-21 07:45:25 +0800 CST

security - is this my public key? my private key? or the keys of the program I'm using?

  • 772

I asked a recent, separate Ask Ubuntu question with the following in the body:

W: An error occurred during the signature verification. 
The repository is not updated and the previous index files will be used. 
GPG error: https://dl.winehq.org/wine-builds/ubuntu bionic InRelease: 
The following signatures couldn't be verified
 because the public key is not available: NO_PUBKEY 76F1A20FF987672F

As you can see part of my error message exposes PUBKEY 76F1A20FF987672F. Was this the public key of WINE, or is this my own public key?

Most importantly, is this PUBKEY 76F1A20FF987672F information I should NOT be posting on a public forum (this one)?

I assume a private key is the only thing I would never want to divulge. I'm reading Wikipedia's Public-key cryptography page now, but it's a little overwhelming.

encryption security gnupg authentication

2 Answers

  1. Best Answer
    76F1A20FF987672F

    No! This is the keyID of the key-pair from Winehq.org!!

    This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.

    The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)

    WineHQ

    WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.

    See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.

    Hope this helps

    • 11

  2. 76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.

    The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:

    wget -nc https://dl.winehq.org/wine-builds/winehq.key
sudo apt-key add winehq.key

    Running both of those commands should make apt-get update happy again.

    Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:

    $ gpg --list-packets < winehq.key | less

    The interesting part of the output is right at the beginning:

    # off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
    version 4, algo 1, created 1544460984, expires 0
    pkey[0]: [3072 bits]
    pkey[1]: [17 bits]
    keyid: 76F1A20FF987672F
# off=400 ctb=b4 tag=13 hlen=2 plen=39
:user ID packet: "WineHQ packages <[email protected]>"

    The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.

    "created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:

    $ date --date='@1544460984'
Mon Dec 10 11:56:24 EST 2018

    It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.

    The raw contents of winehq.key look like this:

    -----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
[48 more lines of base64]
-----END PGP PUBLIC KEY BLOCK-----

    You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.

    -----BEGIN PGP PRIVATE KEY BLOCK-----

lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
[76 more lines of base64]
-----END PGP PRIVATE KEY BLOCK-----

    (That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)

    • 4