Re: Verifying GPG keys for Ubuntu install

[Brian Foley <brianf@sindar.net>]

Hi Graham,

Thanks for the speedy reply!

> Could you please try the same commands?

I see the same output as you have.

> WARNING: this morning, I re-discovered that if you already have a
> tarsnap-deb-packaging-key.asc file in your directory, then wget will 
save the
> new file to tarsnap-deb-packaging-key.asc.1 instead of overwriting the
> existing file.  So if you already have the 2021 version of the key, 
that can
> spark a lot of confusion.

This was exactly the problem!  I did not realise that i already had the 
old key in the directory I was working in. Apologies for the silly error!

Having the year in the name would definitely have solved my particular 
issue, but I can see that this would also be an extra maintenance 
overhead for you guys.

Thanks,

Brian



On 21/01/2022 22:13, Graham Percival wrote:
> Thanks for the report!  Yes, the tarsnap archive keys recently changed -- we
> update them every year in January.  I think that I updated all relevant parts
> of the website, but I'm always willing to believe that I screwed something up.
>
> Alternate source, if you want more confirmation than a mere email:
> https://mobile.twitter.com/cperciva/status/1484314545199796225
>
>
> When I do:
> $ wget https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
> $ gpg tarsnap-deb-packaging-key.asc
>
> I see:
>
> gpg: WARNING: no command supplied.  Trying to guess what you mean ...
> pub   rsa4096 2021-10-26 [SC] [expires: 2023-02-01]
>        C8AC97032A76382306D2A315B364F774EAC3C4DF
> uid           Tarsnap .deb packages signing key (Tarsnap Backup Inc.) <pkg-deb@tarsnap.com>
>
>
> Could you please try the same commands?
>
> WARNING: this morning, I re-discovered that if you already have a
> tarsnap-deb-packaging-key.asc file in your directory, then wget will save the
> new file to tarsnap-deb-packaging-key.asc.1 instead of overwriting the
> existing file.  So if you already have the 2021 version of the key, that can
> spark a lot of confusion.
>
> I'm wondering if we should stick the year in the filename.  That means that
> the copy&paste instructions would have to change each year (which is why we
> didn't do this before), but the annual key rotation bites a few people every
> year.
>
> Cheers,
> - Graham
>
> On Fri, Jan 21, 2022 at 10:00:47PM +0000, Brian Foley wrote:
> > Hi All,
> >
> >
> > I am following these instructions to install tarsnap on ubuntu:
> > https://www.tarsnap.com/pkg-deb.html
> >
> >
> > The instructions say:
> >
> > gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature
> >
> > :signature packet: algo 1, keyid B364F774EAC3C4DF
> >
> > :signature packet: algo 17, keyid 38CECA690C6A6A6E
> >
> > The first keyid is the Tarsnap deb packaging key, while the second is
> > Colin Percival's key (|0x38CECA690C6A6A6E|). These keyid values should
> > match those on a public key server search for 0xB364F774EAC3C4DF
> > <https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xB364F774EAC3C4DF>.
> >
> >
> >
> > However, when I perform the same steps I get:
> >
> > gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature
> >
> > :signature packet: algo 1, keyid BF75EEAB040E447C
> >
> > :signature packet: algo 17, keyid 38CECA690C6A6A6E
> >
> >
> > Has the tarsnap GPG key changed?  If so, can the docs on the website be
> > updated for clarity?
> >
> >
> > Thanks,
> >
> >
> > Brian