Verify gpg key from stdin

Question

I'm using these commands in a Dockerfile to add the LLVM Ubuntu package repository:

RUN echo deb http://apt.llvm.org/artful/ llvm-toolchain-artful-6.0 main > \
    /etc/apt/sources.list.d/llvm.list && \
    wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -

This will add the repository and register the key. However, I'd also like to verify the key using the fingerprint given on the website. How can I extend this command to verify the key?

score 0 · Answer 1 · edited Feb 04 '18 at 00:52

0

The command to validate gpg fingerprints is gpg --with-fingerprint --with-colons -.

Thus, first you download the key and then pipe it into the gpg validator.

wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --with-fingerprint --with-colons -
wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --with-fingerprint --with-colons - | sed -ne 's|^fpr:::::::::\([0-9A-F]\+\):$|\1|p'

Note, the full secure solution would require you to guarantee to validate the fingerprint of the same key what you actually decrypt.

edited Feb 04 '18 at 00:52

peterh

9,488
16
59
88

answered Feb 03 '18 at 23:40

Szépe Viktor

279
2
5

I improved the answer, I hope there is no need to delete it any more. Helló Viktor! :-) – peterh Feb 04 '18 at 00:53

Verify gpg key from stdin

1 Answers1