19100 – install.sh signature verification fails, no public key

Issue 19100 - install.sh signature verification fails, no public key

Summary: install.sh signature verification fails, no public key

Status:	RESOLVED FIXED

Alias:	None

Product:	D
Classification:	Unclassified
Component:	installer (show other issues)
Version:	D2
Hardware:	All All

Importance:	P1 major
Assignee:	No Owner

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-19 19:07 UTC by Jonathan Marler
Modified:	2018-11-25 16:37 UTC (History)
CC List:	1 user (show)

See Also:	19434

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Jonathan Marler 2018-07-19 19:07:11 UTC

For some reason install.sh signature verification is failing on my ubuntu machine.  I've tried installing multiple versions but all of them fail.  When I modify the gpg verification command to print stderr, I get the following message:

gpg2 -q --verify --keyring /home/marler8997/dlang/d-keyring.gpg --no-default-keyring /dev/fd/63 /home/marler8997/dlang/.installer_tmp_4DmvFx/fws8WG/dmd.2.081.1.linux.tar.xz
gpg: Signature made Tue 10 Jul 2018 02:47:37 PM MDT using RSA key ID 12BB1939
gpg: Can't check signature: No public key

The contents of d-keyring.gpg are the following:

hexdump /home/marler8997/dlang/d-keyring.gpg 
0000000 0000 2000 0101 0200 424b 6658 0000 0000
0000010 505b 4e86 505b 4e86 0000 0000 0000 0000
0000020

Comment 1 Seb 2018-07-19 21:43:00 UTC

Did you upgrade the keyring or install.sh within the last year?
We upgraded the keyring in January this year and you might still have an old one.

Comment 2 Jonathan Marler 2018-08-10 16:42:08 UTC

Saw a post on the forum that someone else had this issue.

To answer sebs question, I'm not familiar with ubuntu's "keyring".  This happened on a new machine that I had just inatlled Ubuntu 16.04 LTS on.  And install.sh was also brand new downloaded from the side.

Comment 3 Seb 2018-08-10 19:06:57 UTC

> To answer sebs question, I'm not familiar with ubuntu's "keyring"

And you don't need to. We don't use it. We ship our own keyring on the initial download, which is at ~/dlang/d-keyring.gpg

You can do the following to check the current keyring:

> gpg --no-default-keyring --keyring ~/dlang/d-keyring.gpg --list-keys

You should see a similar output as on https://dlang.org/gpg_keys.html
Also:

> sha256sum ~/dlang/d-keyring.gpg
4de1bb6028bb1e3d4eefd9e1a1651ad6c372ead0482b63e3aafdfdc0fbb48dbd  /home/seb/dlang/d-keyring.gpg

Are you still experiencing this issue?

Comment 4 Jonathan Marler 2018-08-13 17:07:21 UTC

Seb has fix here: https://github.com/dlang/installer/pull/338

Comment 5 Seb 2018-08-13 17:14:01 UTC

After debugging this for a while with Jonathan, the problem seemed to be that the install.sh script was manually installed to ~/dlang/install.sh and the check for a keyring upgrade only checks for the existence of ~/dlang/install.sh and not ~/dlang/d-keyring.gpg

Also, gpg seems to create a default keyring with 32B if no keyring exists (i.e. the passed file doesn't exist).

A fix:

https://github.com/dlang/installer/pull/338

Comment 6 github-bugzilla 2018-08-13 17:50:21 UTC

Commit pushed to master at https://github.com/dlang/installer

https://github.com/dlang/installer/commit/bae1b3480a51991a0d014d4232102ee990c8ba3a
Fix Issue 19100 - install.sh signature verification fails, no public key