Phive installation fails

[icanhazstring]

Bug Report

Q	A
BC Break	no
Version	2.10.1

Summary

Trying to install phly/keep-a-changlog using phive

$phive install phly/keep-a-changelog --copy 

Phive 0.14.4 - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/rate_limit
Downloading https://github.com/phly/keep-a-changelog/releases/download/2.10.1/keep-a-changelog.phar
Downloading https://github.com/phly/keep-a-changelog/releases/download/2.10.1/keep-a-changelog.phar.asc
Downloading key 9A2577FF9A688FAF
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x9A2577FF9A688FAF
Successfully downloaded key.
[WARNING]  Parsing key data failed with error code 0: No UIDs in key found 
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Trying to connect to keyserver.ubuntu.com (162.213.33.9)
[WARNING]  Failed with error code 404: Key not found on keyserver 
[WARNING]  Failed with error code 6: DNS Problem: Did not find any IP for hostname "hkps.pool.sks-keyservers.net" 
[ERROR]    PublicKey 9A2577FF9A688FAF not found on key servers 

Current behaviour

Fails to retrieve the public key used for signing from the servers

How to reproduce

Run

$ phive install phly/keep-a-changelog

Expected behaviour

Expected to have the phar installed

[weierophinney]

It looks like Phive is requiring a UID in keys it pulls from keyservers, and failing hard if none is found - even though GPG2 no longer requires them. (The key we are using does not contain a UID field.) This looks like an upstream issue.

[FelixJacobi]

even though GPG2 no longer requires them

Are you sure that this is true? On Ubuntu 21.04 I am even not able to import the key manually:

felix.jacobi@felix ~/bin % wget -O kac.asc 'https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x9A2577FF9A688FAF'
--2021-07-04 20:39:17--  https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x9A2577FF9A688FAF
Resolving keys.openpgp.org (keys.openpgp.org)... 2a00:c6c0:0:154:1::1, 37.218.245.50
Connecting to keys.openpgp.org (keys.openpgp.org)|2a00:c6c0:0:154:1::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2281 (2,2K) [application/pgp-keys]
Saving to: ‘kac.asc’

kac.asc                                    100%[========================================================================================>]   2,23K  --.-KB/s    in 0s      

2021-07-04 20:39:17 (410 MB/s) - ‘kac.asc’ saved [2281/2281]

felix.jacobi@felix ~/bin % gpg --expert --homedir ~/.phive/gpg --import --allow-non-selfsigned-uid kac.asc 
gpg: key 9A2577FF9A688FAF: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

The --allow-non-selfsigned-uid workaround was advised in several search results on Google (e.g. in sles - Import PGP Keys with no user id into gpg - Unix & Linux Stack Exchange), but it seems to do not have any effect currently (?) - maybe this was a buggy behavior from GPG, which you cannot exploit anymore. According to gnupg - gpg: can't import key: "new key but contains no user ID - skipped" - Super User it will be supported in a future GnuPG version. I checked NEWS · gnupg and found no note that importing keys without UID is supported yet. If I am correct, true, you can create and export them locally but importing them seems not possible.

Trough, I guess a GPG key without an identity IMHO does not make much sense. As a human, the fingerprint is only helpful when comparing two keys to be the same. Which I usually want to know primarily is, WHO exactly created the key and is he trustworthy. You can use the fingerprint in addition to ensure, that you did not get a faked UID after the initial trust relationship was established.