Re: gpg says no user ID

To: Thomas Schmitt <scdbackup@gmx.net>
Cc: debian-user@lists.debian.org
Subject: Re: gpg says no user ID
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 16 Nov 2022 09:28:50 -0500
Message-id: <[🔎] CAH8yC8mzO8L=euTfJw+3_=YkU0cK6z=ZGaU_ovj0bmp=FX2WNA@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] 1100739961822559369@scdbackup.webframe.org>
References: <08cc3795-5d09-2f16-97bc-19c4f4cec9d2@mailfence.com> <[🔎] 1100739961822559369@scdbackup.webframe.org>

Hi Thomas,

Here's some feedback while looking at things from 10,000 feet. There
are several problems with processes and documentation.

On Wed, Nov 16, 2022 at 3:14 AM Thomas Schmitt <scdbackup@gmx.net> wrote:
>
> Thomas George wrote:
> >  I am going to erase every thing I have done and start over.
>
> There's no need for starting over. The SHA512SUM file is meanwhile
> authenticated by your run of:
>
> > > gpg2 --verify SHA512SUMS.sign SHA512SUMS
> > > [...]
> > >   gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
> > > [...]
> > > ...gpg: WARNING: This key is not certified with a trusted signature!
> > > ......There is no indication that the signature belongs to the owner
> > > ...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
>
> The warning is normal with the Debian keys and can be ignored.

This is a security usability problem. How is a non-expert to know that
this warning can be ignored, while others must be tended to?

(The answer is, the non-expert does not know. The system needs to be
fixed to accommodate the user. The user should not have to accomodate
the system).

> Important is the key fingerprint, which is published on
>   https://www.debian.org/CD/verify

>From the page:

    To ensure that the checksums files themselves are correct,
    use GnuPG to verify them against the accompanying signature
    files (e.g. SHA512SUMS.sign).

The page does not provide a prescriptive recipe on how to do what it
says to do. The documentation should include a prescriptive recipe. A
prescriptive recipe lays out the exact steps a user should perform,
similar to what you're doing in this email.

>   Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
>
> I would leave it to copy+paste and the computer to compare the strings.
> Remove the blanks from the published number:
>
>   echo "DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B" | sed -e 's/ //g'

Something needs to be fixed here. The user should be able to use that
string as presented. I don't know where the problem lies (GnuPG
maybe?), but whatever verifies the signature should consume that
representation since it is a common representation.

> which will respond by
>
>   DF9B9C49EAA9298432589D76DA87E80D6294BE9B
>
> Copy+paste the result and the string reported by gpg --verify to a
> comparison command:
>
>   test DF9B9C49EAA9298432589D76DA87E80D6294BE9B = DF9B9C49EAA9298432589D76DA87E80D6294BE9B && echo MATCH
>
> which responds by
>
>   MATCH
>
> ----------------------------------------------------------------------
>
> So now you only have to verify the SHA512 checksum of the ISO by
>
>   sha512sum -c SHA515SUMS
>
> and watching out for the response
>
>   debian-11.5.0-amd64-netinst.iso: OK

One last thought... https://www.debian.org/CD/verify should probably
be moved to the wiki. The page would already be updated if the world
could edit it. (I can say that as a fact since I would have already
modified it). As a static web page, it is bit-rotting because only the
Debian webmaster can edit it.

Jeff

Reply to:

Follow-Ups:
- Re: gpg says no user ID
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

References:
- Re: gpg says no user ID
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: blacklist mei_me?
Next by Date: Re: gpg says no user ID
Previous by thread: Re: gpg says no user ID
Next by thread: Re: gpg says no user ID
Index(es):
- Date
- Thread