Missing PGP Public Key

[MartinKroupaETN]

Describe the bug

I would like to ask you to provide the public PGP key to verify the signature of the jul-ecs-formatter-1.6.0.jar.
I found a PGP public key on the hkps://keys.openpgp.org keyserver, but it did not contain a user ID with a verified email address and therefore was not imported into my system.

Steps to reproduce

$ curl -LOs "https://repo.maven.apache.org/maven2/co/elastic/logging/jul-ecs-formatter/1.6.0/jul-ecs-formatter-1.6.0.jar.asc"

$ gpg --verify jul-ecs-formatter-1.6.0.jar.asc
gpg: assuming signed data in 'jul-ecs-formatter-1.6.0.jar'
gpg: Signature made Po 19. února 2024, 14:21:37 CET
gpg:                using RSA key 1B30324253E3599F1A9873C1DB69C945CDE13051
gpg: Can't check signature: No public key

$ gpg --list-packets jul-ecs-formatter-1.6.0.jar.asc
# off=0 ctb=89 tag=2 hlen=3 plen=307
:signature packet: algo 1, keyid DB69C945CDE13051
	version 4, created 1708348897, md5len 0, sigclass 0x00
	digest algo 10, begin of digest f2 8f
	hashed subpkt 33 len 21 (issuer fpr v4 1B30324253E3599F1A9873C1DB69C945CDE13051)
	hashed subpkt 2 len 4 (sig created 2024-02-19)
	subpkt 16 len 8 (issuer key ID DB69C945CDE13051)
	data: [2045 bits]

$ gpg --keyserver hkps://keys.openpgp.org --verbose --recv-keys DB69C945CDE13051
gpg: enabled compatibility flags:
gpg: data source: https://keys.openpgp.org:443
gpg: armor header: Comment: 1B30 3242 53E3 599F 1A98  73C1 DB69 C945 CDE1 3051
gpg: pub  rsa2048/DB69C945CDE13051 2024-01-12  
gpg: key DB69C945CDE13051: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

[SylvainJuge]

Hi, this is the same symptom as was reported in elastic/apm-agent-java#3523, which is due to a change in the signing keys. Until recently all Elastic artifacts were signed with a single key which was widely available in most key servers.

This new public key however isn't yet available on all key servers though.

[MartinKroupaETN]

Any progress?
The key is still only at hkps://keys.openpgp.org, but the DB69C945CDE13051 keyid doesn't contain a user ID, so I can't verify it.

$ gpg --keyserver keyring.debian.org --verbose --recv-keys DB69C945CDE13051
gpg: enabled compatibility flags:
gpg: no running dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: keyserver receive failed: No keyserver available

$ gpg --keyserver hkps://keyserver.ubuntu.com --verbose --recv-keys DB69C945CDE13051
gpg: enabled compatibility flags:
gpg: data source: https://185.125.188.27:443
gpg: keyserver receive failed: No data

$ gpg --keyserver hkps://pgp.mit.edu --verbose --recv-keys DB69C945CDE13051
gpg: enabled compatibility flags:
gpg: data source: https://pgp.mit.edu:443
gpg: keyserver receive failed: No data

[SylvainJuge]

Hi @MartinKroupaETN , sorry if this issue hasn't seen any progress in a while, I've notified the people in charge and hopefully this should be solved soon.

[SylvainJuge]

Hi @MartinKroupaETN , the key should now be properly fixed:

I get the following with gpg --keyserver keys.openpgp.org --recv DB69C945CDE13051:

gpg: key DB69C945CDE13051: public key "[email protected] <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Can you confirm it works on your side so we can close this issue ?

[MartinKroupaETN]

Hi @SylvainJuge ,

yes, verification with DB69C945CDE13051 keyid is already working.

Thank you

[SylvainJuge]

Thanks for your patience and for double-checking @MartinKroupaETN.