1

It says here that there are 5 Master signing keys for the Arch Linux project. It also says that active, trusted developers have their keys signed by one or more of the master keys. And we can see that Pierre Schmitz's personal key is signed by master keys 0x77514E00, 0x7BE9892E and 0x037F4F41.

Now, I imported all of the Arch project master keys including 0x77514E00, 0x7BE9892E and 0x037F4F41 which it is claimed on the Arch website have signed Pierre Schmitz's personal key. enter image description here

I verified the archlinux-x86_64.iso with the archlinux-x86_64.iso.sig. It said it was unverified and to go looking for this key ID

0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C

. Fine. But I just wanted to independently verify that Pierre Schmitz's personal key is in fact signed by the master keys so I can begin doing these verifications intelligently during this and many future tasks.

I listed sigs for Pierre Schmitz key ID: enter image description here Self-signed ok, I guess I need to recv keys?

I ran recv keys on the key ID: enter image description here

I refresh: enter image description here

And I listed keys again for the ID in question: enter image description here

Is this actually not possible? Is it not always or never possible to independently verify that a key was signed by a defined set of master keys? Or where am I making a mistake in this verification procedure?

bluesquare
  • 487

1 Answers1

1

It sounds like your GnuPG installation is configured to strip all non-self signatures from the imported keys, as is the default in all new versions. If you want to retain them, you'll now have to explicitly opt in to that:

$ gpg --keyserver-options no-self-sigs-only --recv-key 3E80CA1A...

This filtering became the default in 2019 as the public keyservers were suddenly flooded with tons of garbage signatures (especially with the old SKS keyserver software accepting even malformed packets that would break GnuPG entirely).

This led to WoT-style signature distribution via keyservers dying off even more than it already had; the SKS-based keyserver pool outright shutting down; with large keyservers switching to different software and often no longer synchronizing with each other. (Some new keyservers such as Hagrid don't even accept non-self signatures at all.)

As a result, Arch Linux in general no longer uses keyservers as its primary key distribution mechanism. Instead, the keys can be retrieved directly from https://archlinux.org via WKD, in the same form as they are distributed through Arch packaging – with other developers' signatures attached, but nothing else:

$ gpg --auto-key-locate clear,wkd --locate-external-key pierre@archlinux.org
$ gpg --list-sigs pierre@archlinux.org
grawity
  • 501,077