Can't check signature: public key not found

Asked 1/8, 2014 at 7:16 Answered 2/3, 2023 at 23:10

113

I try to decrypt file using following command:

gpg --output file.txt --decrypt file.pgp

File is decrypted successfully but i get an error:

"gpg: Can't check signature: public key not found"

Any idea, why I get this error?

Griffith answered 1/8, 2014 at 7:16 Comment(0)

You get that error because you don't have the public key of the person who signed the message.

gpg should have given you a message containing the ID of the key that was used to sign it. Obtain the public key from the person who encrypted the file and import it into your keyring (gpg2 --import key.asc); you should be able to verify the signature after that.

If the sender submitted its public key to a keyserver (for instance, https://pgp.mit.edu/), then you may be able to import the key directly from the keyserver:

gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>

Spikelet answered 1/8, 2014 at 7:19 Comment(9)

So why I could decrypt this file? – Griffith 1/8, 2014 at 7:21

Because gpg doesn't require you to verify the signature in order to decrypt. – Spikelet 1/8, 2014 at 7:23

How do I import the public key once I have it? E.g., how do I import the public keys at gnupg.org/signature_key.html – Gayegayel 22/10, 2015 at 21:36

If you're using the command-line tools, copy the public key to a file, then use gpg --import key.txt. – Spikelet 23/10, 2015 at 19:11

This is happening to me with a file I signed myself. gpg -k lists my public key. Any ideas? – Ezra 11/6, 2017 at 21:18

This doesn't tell the whole story. With dsc I get the same message, and the key it mentions shows up after gpg --list-keys. There must be more to it, something with trust maybe. – Transmitter 22/5, 2018 at 14:24

I just had a similar issue and --keyserver https://pgp.mit.edu/ didn't work for me, but --keyserver hkps://pgp.mit.edu/ did. – Sweetie 15/5, 2019 at 23:47

I am new to PGP and I am a little confuse why is the public key needed. The file is signed with my public key, which I have provided to the other party, and I should be able to use my private key to decrypt it right? – Boondocks 23/4, 2023 at 15:26

@Boondocks - The file is both signed and encrypted. The encryption means that no one else can see the plaintext; decrypting it requires your private key. The signature ensures that you can detect if anyone tampered with the file and can verify who sent it; verifying the signature requires the sender's public key. – Spikelet 24/4, 2023 at 16:31

You need the public key in your gpg key ring. To import the public key into your public keyring, place the public key block in a text file with a .gpg extension, and then issue the following command:

gpg --import <your-file>.gpg

The entity that encrypted the file should provide you with such a block. For example, ftp://ftp.gnu.org/gnu/gnu-keyring.gpg has the block for gnu.org.

For an even more in-depth explanation see Verifying files with GPG, without a .sig or .asc file?

Gayegayel answered 22/10, 2015 at 22:45 Comment(3)

Is it possible to import a unknown public key automatically when verifying the signed message? – Hildredhildreth 26/8, 2017 at 14:28

No idea, sorry. On the surface it seems like you should be able to script pretty much anything to accomplish it "automatically." – Gayegayel 29/9, 2019 at 19:44

@Hildredhildreth it can be done see my answer below – Extort 2/3, 2023 at 23:12

There is a similar problem.it is a tomcat digital signature.

$ gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc apache-tomcat-9.0.16-windows- 
x64.zip
gpg: Signature made 2019年02月 5日  0:32:50
gpg:                using RSA key A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg: Can't check signature: No public key

but then I use the RSA key it provided to receive the public key to verify.

$ gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg: key 10C01C5A2F6059E7: 38 signatures not checked due to missing keys
gpg: key 10C01C5A2F6059E7: public key "Mark E D Thomas <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Then successfully.

$ gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc
gpg: assuming signed data in 'apache-tomcat-9.0.16-windows-x64.zip'
gpg: Signature made 2019年02月 5日  0:32:50
gpg:                using RSA key A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
gpg: Good signature from "Mark E D Thomas <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7

Liegnitz answered 10/3, 2019 at 14:43 Comment(3)

I'm getting: gpg: keyserver receive failed: Server indicated a failure. Do I need to configure a key server? – Homeless 31/7, 2022 at 23:38

To me helped the Ubuntu keyserver, which can also search keys: keyserver.ubuntu.com – Stockpile 13/2, 2023 at 20:55

Regarding gpg --receive-keys A9C...: without specifying a key server, it may default to a key server without a user ID ("gpg: key ...9E7: new key but contains no user ID - skipped "), causing gpg to skip the import (see superuser.com/a/1485255/137881 ). If this happens, specify another key server which includes a user ID, e.g. gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys A9C.... – Logan 22/3, 2023 at 20:46

I got the same message but my files are decrypted as expected. Please check in your destination path if you could see the output file file.

Educate answered 5/7, 2018 at 19:2 Comment(0)

If you know that your signature is right, you can bypass gpg and test it manually:

Here I used sha256sum to validate my debian live ISO:

$% sha256sum debian-live-11.2.0-amd64-standard.iso | grep dd0dbffdb9c53ee8a35f869e95111a50e231a1800977dfd1604b64a0525709c9
dd0dbffdb9c53ee8a35f869e95111a50e231a1800977dfd1604b64a0525709c9  debian-live-11.2.0-amd64-standard.iso

Habitation answered 22/3, 2022 at 18:38 Comment(3)

And how did you know the hash was supposed to be dd0dbffdb9c53ee8a35f869e95111a50e231a1800977dfd1604b64a0525709c9? – Homeless 31/7, 2022 at 23:41

It's listed on the website you can download your file from usually, but there are issues with this approach alone. If an attacker compromises the server and fakes "trusted" SSL using a fake authority, this will be insecure. I searched for the sum and the filename to find mirrors such as this one to verify the sum to be valid. – Habitation 1/8, 2022 at 13:38

Nothing about this answer is helpful. – Extort 19/2, 2023 at 0:11

If you are on Debian, just try :

sudo apt-get install debian-keyring debian-archive-keyring

sudo apt-key update

sudo apt-get update

Then, do your do :

gpg --output file.txt --decrypt file.pgp

Verdugo answered 11/4, 2022 at 14:23 Comment(0)

You may need to import a public key in order to validate. In this case I downloaded the both files from open source. Here my variables represent the respective filenames both .tar.gz and tar.tz.asc

# get the public key from asc file
rsa_key=$(gpg $driver_asc 2>&1 | grep RSA | awk '{print $5}')  

# import the public key
gpg --import $rsa

# verify valid signature
VERIFIED=$(gpg --verify $driver_asc $driver_filename 2>&1 | grep 'Good signature')

# handle results
if [[ $VERIFIED ]]; then
    echo "gpg key verified. Installing..."
    # do stuff with file, gunzip etc.
else
    echo "gpg key cannot be verified. Aborting installation"
    exit 1
fi

Extort answered 2/3, 2023 at 23:10 Comment(0)

-1

I faced this while repo init, I had to update the path variable in my linux machine and that resolved it.

PATH=~/bin:$PATH

Pickaback answered 4/5, 2021 at 13:5 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags