Forum Discussion

Jacek's avatar
Jacek
New Contributor
4 months ago
Solved

pgp signature not trusted

I upgraded PGP signatures: $ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys gpg: key AC2D62...
best practices
checks
linux
  • AJCxZ0's avatar
    AJCxZ0
    4 months ago

    If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.

    The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.

AJCxZ0's avatar
AJCxZ0
Bronze Expert
4 months ago

You imported the key published on the web site into your keyring.

While you say, "checking 1password-cli source", you don't show what you actual ran. The signature shown has the correct fingerprint. There is nothing wrong with the signature and you mention no reason to think that there is something wrong or any reason why you are "worried about whether the 1Password code is secure" (ignoring what "is secure" could actually mean).

That said, 1Password still hasn't pushed their recently updated key to the keyservers:

$ gpg --fingerprint AC2D62742012EA22
pub   rsa4096 2017-05-18 [SC] [expired: 2025-05-16]
      3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22
uid           [ expired] Code signing for 1Password <codesign@1password.com>

$ gpg --refresh-keys AC2D62742012EA22
gpg: refreshing 1 key from hkps://keys.openpgp.org
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import
gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

$ gpg --list-public-keys codesign@1password.com
pub   rsa4096 2017-05-18 [SC] [expires: 2032-05-16]
      3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid           [ unknown] Code signing for 1Password <codesign@1password.com>

and setting the key expiry for 2032 is not wise, so 1Password certainly could do better.