Getting gpg keys from pgp.mit.edu while installing iceweasel from backport
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Aug 3 21:07:35 UTC 2015
On Sat 2015-08-01 00:31:40 -0400, Sumit Murari wrote:
> Hi Team,
> I was installing iceweaselfrom jessie backport, I found instruction on
> http://mozilla.debian.net/, but got error that some keys were not found.
>
> W: GPG error: http://mozilla.debian.net jessie-backports Release: The
> following signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 85A3D26506C4AE2A
The normal way to do this on debian systems is:
apt-get install pkg-mozilla-archive-keyring
If you do this, you shouldn't need to interact with gpg at all here.
> while I was able to achieve it using this command :
>
> $ gpg --keyserver pgp.mit.edu --recv-key 06C4AE2A
> $ gpg -a --export 06C4AE2A | apt-key add -
Short key IDs like this are trivially forgeable. Hopefully you did not
get compromised this time, but if you are fetching keys from the
keyservers, or are doing other key manipulations locally, you should use
the full fingerprint instead in the general case, like so:
gpg --recv '85F0 6FBC 75E0 67C3 F305 C3C9 85A3 D265 06C4 AE2A'
gpg -a --export '85F0 6FBC 75E0 67C3 F305 C3C9 85A3 D265 06C4 AE2A' | apt-key add -
see https://www.debian-administration.org/users/dkg/weblog/105 for more
information about why you should avoid short key IDs.
But the above is also generally a bad idea anyway because you don't want
to expose the superuser account to the network (gpg --recv). You should
use the "apt-get install pkg-mozilla-archive-keyring" as recommended.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150803/eee8bb57/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list