Verify signatures failed
Closed, InvalidPublic

Description

Tool fails to check Fedora installation ISO file while command 'gpg --verify-files *-CHECKSUM' is successful.

OS: Fedora; component: gnupg2.x86_64 2.2.17-2.fc31 @anaconda

Commands executed:

$ curl https://getfedora.org/static/fedora.gpg|gpg --import
gpg: key 50CB390B3C3359C4: public key "Fedora (31) <fedora-31-primary@fedoraproject.org>" imported

$ gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 25 Oct 2019 16:09:48 EEST
gpg: using RSA key 50CB390B3C3359C4
gpg: Good signature from "Fedora (31) <fedora-31-primary@fedoraproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D22 D586 7F2A 4236 474B F7B8 50CB 390B 3C33 59C4

$ gpg --armor --export export-minimal 7D22D5867F2A4236474BF7B850CB390B3C3359C4 > ~/50CB390B3C3359C4.asc

$ gpg --verify ~/50CB390B3C3359C4.asc Fedora-Workstation-Live-x86_64-31-1.9.iso
gpg: verify signatures failed: Unexpected error

Details

Version
gpg 2.2.17 – libgcrypt 1.8.5
werner added a subscriber: werner.

I am not sure what you want you are going. I see is a verify command using an unknown file or number of files without knowing its content (using globbing (*-SOMETHING) is not a good idea). Some signature is verified okay but it is not known whether the key is trustworthy. You export a ke and then you do a verify on the key - this can't work because a key-file is not a signature.

I would suggest to ask on a mailing list or follow the instructions on fedora.org on how to verify the signed images. They will have the fingerprint of their signing key somewhere on the website.

werner closed this task as Invalid.Dec 2 2019, 5:27 PM
werner added a project: Support.