[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verifying GPG keys for Ubuntu install



Hi Graham,

Thanks for the speedy reply!

> Could you please try the same commands?

I see the same output as you have.

> WARNING: this morning, I re-discovered that if you already have a
> tarsnap-deb-packaging-key.asc file in your directory, then wget will save the
> new file to tarsnap-deb-packaging-key.asc.1 instead of overwriting the
> existing file.  So if you already have the 2021 version of the key, that can
> spark a lot of confusion.

This was exactly the problem!  I did not realise that i already had the old key in the directory I was working in. Apologies for the silly error!

Having the year in the name would definitely have solved my particular issue, but I can see that this would also be an extra maintenance overhead for you guys.

Thanks,

Brian



On 21/01/2022 22:13, Graham Percival wrote:
Thanks for the report!  Yes, the tarsnap archive keys recently changed -- we
update them every year in January.  I think that I updated all relevant parts
of the website, but I'm always willing to believe that I screwed something up.

Alternate source, if you want more confirmation than a mere email:
https://mobile.twitter.com/cperciva/status/1484314545199796225


When I do:
$ wget https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
$ gpg tarsnap-deb-packaging-key.asc

I see:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-10-26 [SC] [expires: 2023-02-01]
       C8AC97032A76382306D2A315B364F774EAC3C4DF
uid           Tarsnap .deb packages signing key (Tarsnap Backup Inc.) <pkg-deb@tarsnap.com>


Could you please try the same commands?

WARNING: this morning, I re-discovered that if you already have a
tarsnap-deb-packaging-key.asc file in your directory, then wget will save the
new file to tarsnap-deb-packaging-key.asc.1 instead of overwriting the
existing file.  So if you already have the 2021 version of the key, that can
spark a lot of confusion.

I'm wondering if we should stick the year in the filename.  That means that
the copy&paste instructions would have to change each year (which is why we
didn't do this before), but the annual key rotation bites a few people every
year.

Cheers,
- Graham

On Fri, Jan 21, 2022 at 10:00:47PM +0000, Brian Foley wrote:
Hi All,


I am following these instructions to install tarsnap on ubuntu:
https://www.tarsnap.com/pkg-deb.html


The instructions say:

gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature

:signature packet: algo 1, keyid B364F774EAC3C4DF

:signature packet: algo 17, keyid 38CECA690C6A6A6E

The first keyid is the Tarsnap deb packaging key, while the second is
Colin Percival's key (|0x38CECA690C6A6A6E|). These keyid values should
match those on a public key server search for 0xB364F774EAC3C4DF
<https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xB364F774EAC3C4DF>.



However, when I perform the same steps I get:

gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature

:signature packet: algo 1, keyid BF75EEAB040E447C

:signature packet: algo 17, keyid 38CECA690C6A6A6E


Has the tarsnap GPG key changed?  If so, can the docs on the website be
updated for clarity?


Thanks,


Brian