specify keyserver in install instructions

[aaronjanse]

The NixOS signing key email is not verified on keys.openpgp.org, the default keyserver on Ubuntu and NixOS.

This causes the install verification instructions to not work for most users:

$ gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: key 8170B4726D7198DE: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
$ gpg2 --verify ./install-nix-2.3.12.asc
gpg: assuming signed data in './install-nix-2.3.12'
gpg: Signature made Tue 01 Jun 2021 08:44:58 AM PDT
gpg:                using RSA key B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: Can't check signature: No public key

This PR adds a flag to the instructions to use the Ubuntu keyserver, which does work:

$ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: key 8170B4726D7198DE: public key "Eelco Dolstra <edolstra@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg2 --verify ./install-nix-2.3.12.asc
gpg: assuming signed data in './install-nix-2.3.12'
gpg: Signature made Tue 01 Jun 2021 08:44:58 AM PDT
gpg:                using RSA key B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2023-05-30
gpg: Good signature from "Eelco Dolstra <edolstra@gmail.com>" [unknown]
gpg:                 aka "Eelco Dolstra <eelco.dolstra@tweag.io>" [unknown]
gpg:                 aka "Eelco Dolstra <eelco.dolstra@logicblox.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B541 D553 0127 0E0B CF15  CA5D 8170 B472 6D71 98DE

Alternatively, @edolstra could verify the key's email on keys.openpgp.org. I think this can be done via keys.openpgp.org/manage.

P.S. Thank you to @ethanhs, who encountered this while installing Nix, for figuring out the solution.

[Mic92]

@garbas I don't think we need to wait for eelcos approval here. It's easy to verify that the current approach does not always work:

NixOS/nixos-weekly#153

[blitz]

I've tried this:

% gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: keyserver receive failed: Server indicated a failure

Is this a problem in my setup?

[Mic92]

I've tried this:

% gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: keyserver receive failed: Server indicated a failure

Is this a problem in my setup?

Yes. This command was working for me and a few others.

[blitz]

@Mic92 Also querying the web frontend gives me the same error: http://keyserver.ubuntu.com/pks/lookup?search=B541D55301270E0BCF15CA5D8170B4726D7198DE&fingerprint=on&op=index

Not Found

[Mic92]

@Mic92 Also querying the web frontend gives me the same error: http://keyserver.ubuntu.com/pks/lookup?search=B541D55301270E0BCF15CA5D8170B4726D7198DE&fingerprint=on&op=index

Not Found

works for me: https://keyserver.ubuntu.com/pks/lookup?search=edolstra%40gmail.com&fingerprint=on&op=index

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2022-01-19-marketing-meeting-minutes/17209/1

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-24/17230/1