Launchpad itself

"gpgv: Can't check signature: public key not found" inside build

Asked by Jesse Victors

Unpack source
─────────────
gpgv: Signature made Sat May 23 03:43:06 2015 UTC using RSA key ID C20BEC80
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./tor-onions_0.2.3.1~trusty.dsc

is an example of the problem. These messages show up in all of my builds. Is it possible for the build process to automatically acquire my key and verify my signature? I'd like the extra assurance in knowing that Launchpad can verify the authenticity of the software uploaded to it.

In almost all Linux distributions, it's easy enough to send a command to gpg to receive a specific key so that it can verify signatures, but how do I do this in Launchpad (in the build process specifically) to resolve this message? Launchpad knows my PGP key already.

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Colin Watson (cjwatson) said : 		#1

We should probably clean up this confusing message, and feel free to file a bug against launchpad-buildd to that effect (or convert this question into a bug). However, other parts of Launchpad have already verified the signature by the time it gets to that point, so we wouldn't gain any actual security by doing so; it would be purely cosmetic.

Revision history for this message
Colin Watson (cjwatson) said : 		#2

(There are also good reasons why it shouldn't specifically require your key, or indeed any key registered on Launchpad; it's possible to copy source packages from other Launchpad PPAs and have them built in your PPA, and even to copy them from the automatic import of all Debian source packages into Launchpad.)

Can you help with this problem?

Provide an answer of your own, or ask Jesse Victors for more information if necessary.

To post a message you must log in.