Installer not working: Can't check signature: No public key

[dlangBugzillaToGithub]

Robert reported this on 2024-02-13T07:14:12Z

Transferred from https://issues.dlang.org/show_bug.cgi?id=24392

CC List

• Martin Nowak (@MartinNowak)
• Iain Buclaw (@ibuclaw)
• Matthew Cook
• Robert

Description

I cannot install D because the installer is failing right away when trying to verify the install.sh script:

robert@fedora:~$ curl -fsS https://dlang.org/install.sh | bash -s dmd
Downloading https://dlang.org/d-keyring.gpg
######################################################################## 100.0%
Downloading https://dlang.org/install.sh
######################################################################## 100.0%
gpg: Signature made Mon 02 Jan 2023 01:47:04 PM CET
gpg:                using RSA key 30AE2FC45DE4153268ED91754CF5FA5326CC62EB
gpg: Can't check signature: No public key
Invalid signature https://dlang.org/install.sh.sig

I am on Fedora 39 (I know there is an RPM but I still wanted to report this bug).

[dlangBugzillaToGithub]

code (@MartinNowak) commented on 2024-08-07T16:03:26Z

Due to https://github.com/dlang/dlang.org/pull/3769#issuecomment-2273811808 not signing the updated keyring.

[dlangBugzillaToGithub]

code (@MartinNowak) commented on 2024-08-07T16:04:41Z

(In reply to Martin Nowak from comment #1)
> Due to https://github.com/dlang/dlang.org/pull/3769#issuecomment-2273811808
> not signing the updated keyring.

A workaround is to import the updated key manually for now.

`gpg --recv-keys E22EC04C82780970381402F4A7D4D42F8EC6A355`

[dlangBugzillaToGithub]

code (@MartinNowak) commented on 2024-09-25T15:21:35Z

More specifically, the keyring was updated by now, but it wasn't signed with any of the existing keys, hence `install.sh update` might fail verifying the new d-keyring. Maybe we should skip that verification step to not complicate bootstrapping that much.

> A workaround is to import the updated key manually for now.
> `gpg --recv-keys E22EC04C82780970381402F4A7D4D42F8EC6A355`

Actually that should update the dlang keyring, not the default one.

`gpg --keyring ~/dlang/d-keyring.gpg --no-default-keyring --recv-keys E22EC04C82780970381402F4A7D4D42F8EC6A355`

[dlangBugzillaToGithub]

code (@MartinNowak) commented on 2024-09-25T15:23:12Z

*** Issue 24767 has been marked as a duplicate of this issue. ***

[robertschulze]

This appears to not be working anymore:

[root@pve-onedrive ~]# curl -fsS https://dlang.org/install.sh | bash -s dmd
Downloading https://dlang.org/d-keyring.gpg
######################################################################## 100.0%
Downloading https://dlang.org/install.sh
######################################################################## 100.0%
gpg: Signature made Mon Apr  1 20:02:30 2024 UTC
gpg:                using RSA key E22EC04C82780970381402F4A7D4D42F8EC6A355
gpg: Can't check signature: No public key
Invalid signature https://dlang.org/install.sh.sig
[root@pve-onedrive ~]# gpg --keyring ~/dlang/d-keyring.gpg --no-default-keyring --recv-keys E22EC04C82780970381402F4A7D4D42F8EC6A355
gpg: key 4CF5FA5326CC62EB: public key "Iain Buclaw <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[root@pve-onedrive ~]# curl -fsS https://dlang.org/install.sh | bash -s dmd
Downloading https://dlang.org/d-keyring.gpg
######################################################################## 100.0%
gpg: Signature made Mon Feb 13 22:52:51 2023 UTC
gpg:                using RSA key E22EC04C82780970381402F4A7D4D42F8EC6A355
gpg: BAD signature from "Iain Buclaw <[email protected]>" [expired]
Invalid signature https://dlang.org/d-keyring.gpg.sig
[root@pve-onedrive ~]# 

[robertschulze]

What I did:

[root@pve-onedrive ~]# cd dlang
[root@pve-onedrive dlang]# rm d-keyring.gpg 
[root@pve-onedrive dlang]# wget https://dlang.org/d-keyring.gpg.sig

Probably highly insecure but at least it worked...

[chenzhekl]

The same problem happened to me. Is D really dead to the point that the official installer is kind of abandoned...

[dkorpel]

Can you post the exact error, and the output of cd ~/dlang && gpg --show-keys ./d-keyring.gpg after running the install script? (Assuming you are installing in your home/dlang folder).

[chenzhekl]

Unfortunately, I am no longer using Linux with dlang. This is the error I got on macOS:

~ % curl -fsS https://dlang.org/install.sh | bash -s dmd

DMD does not have builds for macOS on aarch64/arm64 architecture.
Switching to x86_64 architecture (requires Rosetta).

Downloading https://dlang.org/d-keyring.gpg
######################################################################## 100.0%
Downloading https://dlang.org/install.sh
######################################################################## 100.0%
gpg: /Users/me/.gnupg/trustdb.gpg: trustdb created
gpg: Note: Specified keyrings are ignored due to option "use-keyboxd"
gpg: Signature made Tue Apr  2 05:02:30 2024 JST
gpg:                using RSA key E22EC04C82780970381402F4A7D4D42F8EC6A355
gpg: Can't check signature: No public key
Invalid signature https://dlang.org/install.sh.sig

~ % cd dlang

dlang % gpg --show-keys ./d-keyring.gpg
pub   rsa4096 2014-09-01 [SC] [expired: 2020-03-25]
      AFC7DB45693D62BB472BF27BAB8FE924C2F7E724
uid                      Martin Nowak (dawg) <[email protected]>
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
sub   rsa4096 2015-02-27 [S] [expired: 2020-03-25]
sub   rsa4096 2014-09-01 [E] [expired: 2020-03-25]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa2048 2016-01-29 [SC]
      BBED1B088CED7F958917FBE85004F0FAD051576D
uid                      Vladimir Panteleev <[email protected]>
sub   rsa2048 2016-01-29 [E]

pub   rsa4096 2015-11-24 [SC] [expires: 2026-03-23]
      8FDB8D357AF468A9428ACE3C2055F76601A36FB0
uid                      Sebastian Wilzbach <[email protected]>
uid                      Sebastian Wilzbach <[email protected]>
sub   rsa4096 2015-11-24 [E] [expired: 2020-11-22]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2018-03-26 [SC] [expired: 2020-03-25]
      F77158814C19E5E07BA1079A65394AFEF4A68565
uid                      DLang Nightly (bot) <[email protected]>
sub   rsa4096 2018-03-26 [S] [expired: 2020-03-25]
sub   rsa4096 2018-03-26 [E] [expired: 2020-03-25]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2020-03-12 [SC] [revoked: 2022-03-22]
      F46A10D0AB44C3D15DD65797BCDD73FFC3EB6146
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
sub   rsa4096 2020-03-12 [E] [revoked: 2022-03-22]
sub   rsa4096 2020-03-12 [S] [revoked: 2022-03-22]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2013-09-28 [SC] [expires: 2027-02-16]
      30AE2FC45DE4153268ED91754CF5FA5326CC62EB
uid                      Iain Buclaw <[email protected]>
uid                      Iain Buclaw <[email protected]>
uid                      Iain Buclaw <[email protected]>
sub   rsa4096 2013-09-28 [E] [expires: 2027-02-16]
sub   rsa4096 2023-02-13 [S] [expires: 2027-02-16]

pub   ed25519 2022-03-22 [SC] [expired: 2024-03-21]
      F8A26D5D7572ECA06EC7973182C52E37A8BC8393
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
uid                      Martin Nowak <[email protected]>
sub   cv25519 2022-03-22 [E] [expired: 2024-03-21]
sub   ed25519 2022-03-22 [S] [expired: 2024-03-21]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2025-01-09 [SC]
      F3F896F3274BBD9BBBA59058710592E7FB7AF6CA
uid                      Dennis Korpel <[email protected]>
sub   rsa4096 2025-01-09 [E]

[dkorpel]

The downloaded keyring looks up to date, but:

gpg: Note: Specified keyrings are ignored due to option "use-keyboxd"

That's a problem

The --keyring option is deprecated and does not work at all if the keyboxd is used.

https://dev.gnupg.org/T7265

The install scripts needs to find a new way to apply those downloaded keys