← Back to index | Original Bugzilla link

Bug 19100 – install.sh signature verification fails, no public key

Status: RESOLVED
Resolution: FIXED
Severity: major
Priority: P1
Component: installer
Product: D
Version: D2
Platform: All
OS: All
Creation time: 2018-07-19T19:07:11Z
Last change time: 2018-11-25T16:37:58Z
Assigned to: No Owner
Creator: Jonathan Marler
See also: https://issues.dlang.org/show_bug.cgi?id=19434

Comments

Comment #0 by johnnymarler — 2018-07-19T19:07:11Z

For some reason install.sh signature verification is failing on my ubuntu machine. I've tried installing multiple versions but all of them fail. When I modify the gpg verification command to print stderr, I get the following message: gpg2 -q --verify --keyring /home/marler8997/dlang/d-keyring.gpg --no-default-keyring /dev/fd/63 /home/marler8997/dlang/.installer_tmp_4DmvFx/fws8WG/dmd.2.081.1.linux.tar.xz gpg: Signature made Tue 10 Jul 2018 02:47:37 PM MDT using RSA key ID 12BB1939 gpg: Can't check signature: No public key The contents of d-keyring.gpg are the following: hexdump /home/marler8997/dlang/d-keyring.gpg 0000000 0000 2000 0101 0200 424b 6658 0000 0000 0000010 505b 4e86 505b 4e86 0000 0000 0000 0000 0000020

Comment #1 by greensunny12 — 2018-07-19T21:43:00Z

Did you upgrade the keyring or install.sh within the last year? We upgraded the keyring in January this year and you might still have an old one.

Comment #2 by johnnymarler — 2018-08-10T16:42:08Z

Saw a post on the forum that someone else had this issue. To answer sebs question, I'm not familiar with ubuntu's "keyring". This happened on a new machine that I had just inatlled Ubuntu 16.04 LTS on. And install.sh was also brand new downloaded from the side.

Comment #3 by greensunny12 — 2018-08-10T19:06:57Z

> To answer sebs question, I'm not familiar with ubuntu's "keyring" And you don't need to. We don't use it. We ship our own keyring on the initial download, which is at ~/dlang/d-keyring.gpg You can do the following to check the current keyring: > gpg --no-default-keyring --keyring ~/dlang/d-keyring.gpg --list-keys You should see a similar output as on https://dlang.org/gpg_keys.html Also: > sha256sum ~/dlang/d-keyring.gpg 4de1bb6028bb1e3d4eefd9e1a1651ad6c372ead0482b63e3aafdfdc0fbb48dbd /home/seb/dlang/d-keyring.gpg Are you still experiencing this issue?

Comment #4 by johnnymarler — 2018-08-13T17:07:21Z

Seb has fix here: https://github.com/dlang/installer/pull/338

Comment #5 by greensunny12 — 2018-08-13T17:14:01Z

After debugging this for a while with Jonathan, the problem seemed to be that the install.sh script was manually installed to ~/dlang/install.sh and the check for a keyring upgrade only checks for the existence of ~/dlang/install.sh and not ~/dlang/d-keyring.gpg Also, gpg seems to create a default keyring with 32B if no keyring exists (i.e. the passed file doesn't exist). A fix: https://github.com/dlang/installer/pull/338

Comment #6 by github-bugzilla — 2018-08-13T17:50:21Z

Commit pushed to master at https://github.com/dlang/installer https://github.com/dlang/installer/commit/bae1b3480a51991a0d014d4232102ee990c8ba3a Fix Issue 19100 - install.sh signature verification fails, no public key