Why is it sometimes necessary to manually import keys?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












There are many packages on AUR which, when you attempt to install them, result in an error like: ==> ERROR: One or more PGP signatures could not be verified!



This is resolved by importing the key with something like gpg --recv-keys 123456789ABCDEF. The AUR discussion will often provide the key.



I have a few questions about this:



  1. What exactly do these keys do? What is being verified with GPG, and why is it necessary?


  2. Why is it necessary to import keys by hand? Why can't it be automated?


  3. If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?


  4. Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?


Searching online, I've found references to a well known blog post. I'm sad to say that after several careful readings I still do not understand the above points.







share|improve this question




















  • You should ask once only a single question. But it can be complex, or you can post multiple questions.
    – peterh
    Nov 29 '17 at 7:25










  • @peterh They're all related to each other, this wouldn't work as separate questions.
    – Bagalaw
    Jan 19 at 23:13














up vote
1
down vote

favorite
1












There are many packages on AUR which, when you attempt to install them, result in an error like: ==> ERROR: One or more PGP signatures could not be verified!



This is resolved by importing the key with something like gpg --recv-keys 123456789ABCDEF. The AUR discussion will often provide the key.



I have a few questions about this:



  1. What exactly do these keys do? What is being verified with GPG, and why is it necessary?


  2. Why is it necessary to import keys by hand? Why can't it be automated?


  3. If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?


  4. Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?


Searching online, I've found references to a well known blog post. I'm sad to say that after several careful readings I still do not understand the above points.







share|improve this question




















  • You should ask once only a single question. But it can be complex, or you can post multiple questions.
    – peterh
    Nov 29 '17 at 7:25










  • @peterh They're all related to each other, this wouldn't work as separate questions.
    – Bagalaw
    Jan 19 at 23:13












up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





There are many packages on AUR which, when you attempt to install them, result in an error like: ==> ERROR: One or more PGP signatures could not be verified!



This is resolved by importing the key with something like gpg --recv-keys 123456789ABCDEF. The AUR discussion will often provide the key.



I have a few questions about this:



  1. What exactly do these keys do? What is being verified with GPG, and why is it necessary?


  2. Why is it necessary to import keys by hand? Why can't it be automated?


  3. If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?


  4. Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?


Searching online, I've found references to a well known blog post. I'm sad to say that after several careful readings I still do not understand the above points.







share|improve this question












There are many packages on AUR which, when you attempt to install them, result in an error like: ==> ERROR: One or more PGP signatures could not be verified!



This is resolved by importing the key with something like gpg --recv-keys 123456789ABCDEF. The AUR discussion will often provide the key.



I have a few questions about this:



  1. What exactly do these keys do? What is being verified with GPG, and why is it necessary?


  2. Why is it necessary to import keys by hand? Why can't it be automated?


  3. If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?


  4. Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?


Searching online, I've found references to a well known blog post. I'm sad to say that after several careful readings I still do not understand the above points.









share|improve this question











share|improve this question




share|improve this question










asked Nov 29 '17 at 1:46









Bagalaw

118111




118111











  • You should ask once only a single question. But it can be complex, or you can post multiple questions.
    – peterh
    Nov 29 '17 at 7:25










  • @peterh They're all related to each other, this wouldn't work as separate questions.
    – Bagalaw
    Jan 19 at 23:13
















  • You should ask once only a single question. But it can be complex, or you can post multiple questions.
    – peterh
    Nov 29 '17 at 7:25










  • @peterh They're all related to each other, this wouldn't work as separate questions.
    – Bagalaw
    Jan 19 at 23:13















You should ask once only a single question. But it can be complex, or you can post multiple questions.
– peterh
Nov 29 '17 at 7:25




You should ask once only a single question. But it can be complex, or you can post multiple questions.
– peterh
Nov 29 '17 at 7:25












@peterh They're all related to each other, this wouldn't work as separate questions.
– Bagalaw
Jan 19 at 23:13




@peterh They're all related to each other, this wouldn't work as separate questions.
– Bagalaw
Jan 19 at 23:13










2 Answers
2






active

oldest

votes

















up vote
4
down vote



accepted











What exactly do these keys do? What is being verified with GPG, and why is it necessary?




The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.




Why is it necessary to import keys by hand? Why can't it be automated?




You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.



The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.




If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?




If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.




Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?




GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.



See here for more information on SKS keyserver network: https://sks-keyservers.net/



You can also google for the keyID.






share|improve this answer



























    up vote
    1
    down vote



    +50










    TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"



    The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .



    The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.



    The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.



    What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.



    And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.






    share|improve this answer




















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f407627%2fwhy-is-it-sometimes-necessary-to-manually-import-keys%23new-answer', 'question_page');

      );

      Post as a guest






























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      4
      down vote



      accepted











      What exactly do these keys do? What is being verified with GPG, and why is it necessary?




      The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.




      Why is it necessary to import keys by hand? Why can't it be automated?




      You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.



      The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.




      If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?




      If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.




      Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?




      GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.



      See here for more information on SKS keyserver network: https://sks-keyservers.net/



      You can also google for the keyID.






      share|improve this answer
























        up vote
        4
        down vote



        accepted











        What exactly do these keys do? What is being verified with GPG, and why is it necessary?




        The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.




        Why is it necessary to import keys by hand? Why can't it be automated?




        You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.



        The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.




        If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?




        If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.




        Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?




        GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.



        See here for more information on SKS keyserver network: https://sks-keyservers.net/



        You can also google for the keyID.






        share|improve this answer






















          up vote
          4
          down vote



          accepted







          up vote
          4
          down vote



          accepted







          What exactly do these keys do? What is being verified with GPG, and why is it necessary?




          The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.




          Why is it necessary to import keys by hand? Why can't it be automated?




          You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.



          The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.




          If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?




          If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.




          Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?




          GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.



          See here for more information on SKS keyserver network: https://sks-keyservers.net/



          You can also google for the keyID.






          share|improve this answer













          What exactly do these keys do? What is being verified with GPG, and why is it necessary?




          The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.




          Why is it necessary to import keys by hand? Why can't it be automated?




          You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.



          The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.




          If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?




          If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.




          Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?




          GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.



          See here for more information on SKS keyserver network: https://sks-keyservers.net/



          You can also google for the keyID.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 22 at 9:34









          telcoM

          11.2k11233




          11.2k11233






















              up vote
              1
              down vote



              +50










              TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"



              The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .



              The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.



              The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.



              What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.



              And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.






              share|improve this answer
























                up vote
                1
                down vote



                +50










                TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"



                The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .



                The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.



                The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.



                What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.



                And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.






                share|improve this answer






















                  up vote
                  1
                  down vote



                  +50







                  up vote
                  1
                  down vote



                  +50




                  +50




                  TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"



                  The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .



                  The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.



                  The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.



                  What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.



                  And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.






                  share|improve this answer












                  TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"



                  The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .



                  The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.



                  The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.



                  What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.



                  And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 29 '17 at 2:13









                  ivanivan

                  3,1281313




                  3,1281313



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f407627%2fwhy-is-it-sometimes-necessary-to-manually-import-keys%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?