mkosi git signing key unusable

[adrelanos]

It's good that it's signed...

git tag -v v19                                                              
object bbe715f42911f9660712377a5b39335b9391ae22
type commit
tag v19
tagger Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 1700043352 +0100

mkosi 19
gpg: Signature made Wed 15 Nov 2023 05:15:52 AM EST
gpg:                using RSA key 5C251B5FC54EB2F80F407AAAC54CA336CFEB557E
gpg: Can't check signature: No public key
zsh: exit 1     git tag -v v19

but impossible to find the signing key.

https://fedoraproject.org/wiki/User:Zbyszek links to https://keys.openpgp.org/search?q=C54CA336 but that link is broken.

https://keys.openpgp.org/search?q=5C251B5FC54EB2F80F407AAAC54CA336CFEB557E works but when attempting to import the key I get:

gpg --import a   
gpg: key C54CA336CFEB557E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

A wild theory is that keys.openpgp.org removes key ids if the e-mail address is not confirmed.

https://api.github.com/users/keszybz/gpg_keys also isn't useful.

"raw_key": null,

Maybe https://unix.stackexchange.com/questions/614670/import-pgp-keys-with-no-user-id-into-gpg would work as a solution but I suppose this isn't how it's imagined what should be done.

@keszybz

[keszybz]

Jesus. AFAIR, I just created the key in the recommended fashion and there is nothing special about it. There are two possibilities: either it was always wrong and for the last 12 years nobody attempted to check any of the signatures, or something changed in the software and it's now making the key harder to use. I would say the changes are 50/50.

https://fedoraproject.org/wiki/User:Zbyszek#GPG_key now has the ascii-armored key. HTH.

If somebody tells me what to do to fix keys.openpgp.org or api.github.com, I'd be happy to do it, but I don't want to spend time on the research into designed-to-fail pgp software ecosystem.

[adrelanos]

either it was always wrong and for the last 12 years nobody attempted to check any of the signatures,

This one, I think, no. I've searched for 5C251B5FC54EB2F80F407AAAC54CA336CFEB557E and found some PKGBUILD files referencing it. So unless these PKGBUILD files are actually broken and not doing verification or skipping it if broken... It seems that at least some people in the past managed to use your key. Maybe that was before keys.openpgp.org started removing unverified uids / e-mail addresses.

Jesus. AFAIR, I just created the key in the recommended fashion and there is nothing special about it.
or something changed in the software and it's now making the key harder to use.
If somebody tells me what to do to fix keys.openpgp.org or api.github.com,

Actually I just now noticed that my key has the same issue on keys.openpgp.org. My key was there with "Non-identity information. To fix this, I had to upload my key.

You can do that here by uploading the .asc:
https://keys.openpgp.org/upload

You are then prompted to verify your e-mail address which is key.opengpg.org sending you an e-mail. Once copy/pasting that link into your browser and clicking "please click here" (probably a noscript issue), that should be resolved.

Seems a simple process - once you know it. Happy to help.

(They also have manage to remove e-mail addresses in case you ever need that.)

https://fedoraproject.org/wiki/User:Zbyszek#GPG_key now has the ascii-armored key. HTH.

That helps a lot, works for me, thank you!

[DaanDeMeyer]

Let's close this as @keszybz key is now available and the latest release is signed by @bluca whose key should be in order.

[keszybz]

Thank you. I did the procedure and now the key can be imported correctly:

$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/5C251B5FC54EB2F80F407AAAC54CA336CFEB557E
...
Saving to: ‘5C251B5FC54EB2F80F407AAAC54CA336CFEB557E’
$ gpg --import 5C251B5FC54EB2F80F407AAAC54CA336CFEB557E
gpg: key C54CA336CFEB557E: public key "Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>" imported
gpg: Total number processed: 1
gpg:               imported: 1