Search code examples
cryptographyrvmgnupg

Problem installing rubys with rvm because of missing public key

Yesterday I tried to install a ruby or update rvm on Ubuntu, today on mac os, and I failed in the same place on both:

$ rvm get head
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /Users/bjelline/.rvm/archives/rvm-installer.asc
gpg: Signature made Sun Dec 30 11:44:46 2018 CET using RSA key ID 39499BDB
gpg: Can't check signature: No public key
Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).

GPG signature verification failed for '/Users/bjelline/.rvm/archives/rvm-installer' - 'https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc'! Try to install GPG v2 and then fetch the public key:

    gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

or if it fails:

    command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -

the key can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.

-bash: return: _ret: numeric argument required

I've tried both versions of getting the public key mentioned: using curl:

$ command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
gpg: key D39DC0E3: "Michal Papis (RVM signing) <mpapis@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

And also using pgp2 --recv-keys:

$ gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
gpg: requesting key D39DC0E3 from hkp server keys.gnupg.net
gpg: key D39DC0E3: "Michal Papis (RVM signing) <mpapis@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Notice how both mention key D39DC0E3 ... not changed.

So, is there something wrong with D39DC0E3? How would I find out?

Or is it simply the wrong key? In the output of rvm get head I find the linkes 

gpg: Signature made Sun Dec 30 11:44:46 2018 CET using RSA key ID 39499BDB
gpg: Can't check signature: No public key

Is the RSA key ID 39499BDB the same as key D39DC0E3? How would I find out?

Solution

  • There is an issue on github that explains this:

    https://github.com/rvm/rvm/issues/4520

    It seems that the error is alerting me to the fact that the maintainer of rvm has changed: the new maintainer, github.com/pkuczynski uses another key to sign.

    Do I want to trust this new maintainer? Then I can add his key:

    gpg --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB