Retrieve public keys that signed a key I have

Question

I am trying to figure out how to do the following in one command.

I have an ISO image along with its signature file *.sig. I tried to verify it via GnuPG 2 but it reported a missing public key giving me its fingerprint. I have successfully retrieved a key using the following

gpg2 --keyserver hkp://keys.gnupg.net --recv-key <fingerprint>

but when I checked the key

gpg2 --edit-key <KEY ID>

followed by

gpg> check

I have got this message:

27 signatures not checked due to missing keys

How can I retrieve all these keys to check that the key I have got is trusted?

Answer 1

You're not missing keys for the ISO's signature, but keys which issued certifications on the key that signed the image.

GnuPG does not recursively download other keys, you will have to do this on your own (for example, by running a command line like the one you proposed in the comments). But be aware that the certificates provided by other keys do not already assert the key's valid, it is very easy to generate whole networks of keys that even mimic the real OpenPGP web of trust like performed in the Evil 32 attack. If you want to validate some key by checking certifications, always build a trust path that ends at your own key (or some other key you verified through another medium, for example by meeting the person).