3

I'm installing the Ultimaker Cura 3D printer slicer program from here (https://github.com/Ultimaker/Cura/releases/tag/5.1.0) onto Linux Ubuntu 20.04.

I downloaded these 2 files:

Ultimaker-Cura-5.1.0-linux-modern.AppImage
Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc

Opening the .asc file in a text editor shows it contains:

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEGInq7S25O/ff+zymwaG5EGnEr1kFAmLWpkEACgkQwaG5EGnE
r1necwgAwO8fqUtXicpJPiIXeFR6L3a2cTc/hLgTgk4Bw8Ey5LKiQyeIsDd3r/vZ
tGiMsb4TrG8WuGIvidBoubuamnIdy2zKyy8Gk1e+MiIgfIWdWIl7KuX/K3GY0oyV
H5rfQWv/g4hCHsDXRpElva79p6W6DYvgdSGeNTpjaeGmLT29OcXCP4wPvSN4izsi
9AU+0DOdq204ZeiGKboXpdPdkWXeyuMJHFdvTlOZVZSb0Ib0zZugSmWYLo8fvK2p
8mrqPMdLu7BMS9ZS/wGrxRfVyOwxk72xuPjGXsrcPXWHtAF5OjvzvCPUzGfnDN10
fVF3+MKS79PQOEYXwAi2hixPCReWNA==
=12yS
-----END PGP SIGNATURE-----

How do I use this .asc signature file to check the main file?

I read this page, and the last example seems to apply: https://www.gnupg.org/gph/en/manual/x135.html

So I tried this:

gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage

...and I got the following error, as shown in my run output:

~/Downloads/Install_Files/Cura$ gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage
gpg: Signature made Tue 19 Jul 2022 05:40:33 AM MST
gpg:                using RSA key 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59
gpg: Can't check signature: No public key

I tried following the solution in this answer, using the RSA key hash printed in the previous output above, and it doesn't work either:

$ gpg --receive-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59
gpg: keyserver receive failed: Server indicated a failure

I'm looking around: Google search for "ultimaker public key"

Related

  1. My question: Which AppImage should I install (.AppImage vs modern.AppImage)?
Gabriel Staples
  • 2,192
  • 1
  • 24
  • 31

1 Answers1

2

You're getting that error ("Can't check signature: No public key") because you need to first add the public key to your local keyring.

It looks like the Ultimaker folks aren't really all that familiar with signing things, because nowhere in their repository do they publish their signing key or indicate where you can find it.

There's an issue about this from a few years back, where GitHub user "LipuFei" comments:

The public key is now on the public key servers.

$ gpg --keyserver pgp.mit.edu --recv-keys C1A1B91069C4AF59
gpg: /home/l.fei/.gnupg/trustdb.gpg: trustdb created
gpg: key C1A1B91069C4AF59: public key "Ultimaker Build Server <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

If you run that command to import the public you, you will then be able to verify your Download using the .asc signature file. Note that this example is using the key ID, C1A1B91069C4AF59, but you can also use the key fingerprint, 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59, and you'll get the same key.

Update

Running gpg --keyserver pgp.mit.edu --recv-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59 works for me without an error; the resulting key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFjve7ABCADfGQZcKIGC4eQFVE4yd1Mlft4n2wStUb7KBx3s4DX6WV6pF1/p
jKQpeFwa31IbjLEqQ+ulT9pEKAW5NQTMY+snPKL8kHOqWrseXRbaVeuimZmbdU1F
CNDYYyGYUc8vZw7N+gG7Sbwr3iE2rN4NHZdDj/LR9CJeGkl83pc4u0ikJyp+vU0J
wHKRMnY3XofuOHDOj/lew3jeNI4CBbtYHO01D1tP5HPRqQNdpsn9cWFmEKwypnGa
CmkAtgk8Afm1h7FsNktfOSlL6AHm/aQmEiTwEunWjqcJSOcf5xk1f5564k0zlSxW
fIyawnAKYEow6DKsKnJL9LVgdiMQGwvc8ft5ABEBAAG0L1VsdGltYWtlciBCdWls
ZCBTZXJ2ZXIgPG1vbm9saXRoQHVsdGltYWtlci5jb20+iQE4BBMBAgAiBQJY73uw
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDBobkQacSvWZhCB/9dLHEI
ebVQe3gA7vhk/fTDM0z32gJnGHqxgRc58iWvmPuCJdYvuzzEc1B6QF9mA38h45EV
70/Yt4iR9s7rcpyxp4h2qP1gA7W6OE257bUp2VGgp6FLqS0YXyUtj9QfAJwVAwGZ
3o8o/TiUCNO2S1QEyoCn0dTlbfb7/ht0PFb5Ez6DQSX4ArgEp95PPHez73DBiTix
00H+7OLeZG1eMAFrQw8VLSE/foSPqftXTx6l4Gi8/w4vWwLv4gsNrOdweKjyNkek
xWcrWLb+QFrLYlKoc4Hhr74YyqQ92omlkTFBef4v3Uqc2+UmGAMlif47eC9DJGwt
KwJyB3Jcj3J+W9qEuQENBFjve7ABCAC7zGl/bPHp0ywV+B5g1/iWKbn2Xjedt/be
t9EUn4hsuVetcJkw2Hfdxis/SCQIOMpkvGq3CfF+HHReP7Fj5fSRo07DmBN8PHqF
+XiJLZQTitCZWak6JpLzxy/l5z0bzHDVAiRBHj2rsDkQ+JDgalPypRGivMsIzOD3
XeIixb8RcUkRxgEqItfOeui4i512KE3OTg7DEub4tMKkdJ1e1iOrBBdtP8cKSKt1
MZt3xiljkA6gRZTjP1HTB4kLfg2PQ73gZMa1inXto8g7bt20L7zWBzKhlanprxRS
NdFi/5iaC8EQzi1dEkCowaWZpUGAh2DGGPaZpo+NDqiUhOb782vzABEBAAGJAR8E
GAECAAkFAljve7ACGwwACgkQwaG5EGnEr1nWCQf/VUPATUNRwWsw0WB4fa5aepQi
305mpRmSFHj46wPiKLYwkndoK6p6tVYA1O3315ObhzkwZog4t2rADl1mpE8lxsKo
fU8c6Ft81YuIf91BF096elVAc3/2/p0uKlEJnsTAamkn4MSZLHXJLmGt4Y2ma756
HFZ81VdLI8XpVWlLow6eaTCrPd8J34f+T4bgqRCoPwRjUlrQsqVprMfSmebwfcza
dN5OiX9J+0JSZ3e2/9qLGhmyk2CxM22GluLuoP79mV65TH0g/MRtz46ct3f7ECKi
iQ4m4xdHr6vCcN6M240qqn9ItCVeAwBCIPJgLtmr52mrQ5NC7b8NU44zQs/8gw==
=o+pH
-----END PGP PUBLIC KEY BLOCK-----

But there is no reason for you to trust this key. Because neither the key, nor the fingerprint, nor the key id is published by the project in any official location, there's no reason for you to trust the key. Yes, it matches the key used to signed the file, but is this actually a key used by the project, or was it a clever hacker? I mean, sure, it's probably the right key, but the way the project is using it isn't particularly useful for anything other than checking if your download was somehow corrupted in transit.

larsks
  • 32,449
  • 5
  • 54
  • 70
  • Thank you. I just saw that post too, right before you posted it. I'm getting this error though. My command: `gpg --keyserver pgp.mit.edu --recv-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59`. Error: `gpg: keyserver receive failed: Server indicated a failure`. Is it working for you? – Gabriel Staples Jul 31 '22 at 23:54
  • larsks, this may help you help me: https://cloudsmith.io/~ultimaker/repos/cura-public/signing/ (I'm not sure what to do with this though, yet) – Gabriel Staples Jul 31 '22 at 23:56
  • Manually going to this page (https://pgp.mit.edu/) and copy-pasting the key as a search string returns no results too. `No results found No results found: No keys found` – Gabriel Staples Jul 31 '22 at 23:59
  • I've updated the answer to address your question. – larsks Aug 01 '22 at 00:04
  • I found the key manually in the browser, here: https://pgp.mit.edu/pks/lookup?op=get&search=0xC1A1B91069C4AF59. The instructions (https://pgp.mit.edu/extracthelp.html) say: "If you want to look up a key by its hexadecimal KeyID, you have to prefix the ID with `0x`". So, searching for "Search STring" `0x1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59` instead of `1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59` _does_ work in the browser. I'm still not sure why my command isn't working at the command-line, however. – Gabriel Staples Aug 01 '22 at 00:11
  • What OS are you on? And what version of `gpg` do you have? My `gpg --version` shows: `gpg (GnuPG) 2.2.19` – Gabriel Staples Aug 01 '22 at 00:17
  • 1
    I'm on Linux (fedora 35) with `gpg` version `2.3.4`. It looks like 2.2.19 is a few years old. – larsks Aug 01 '22 at 00:27