reflections icon indicating copy to clipboard operation
reflections copied to clipboard
verified publisher icon ronmamo

No Key for org.reflection

Open cmrockwell opened this issue 4 years ago • 2 comments

Hi

my project uses pgpverify-maven-plugin to verify the signatures of the dependencies such as org.reflections:reflections:jar:0.9.12

recently the CI started to fail because the plugin cannot locate the key used to sign org.reflections:reflections:jar:0.9.12 on servers mentioned in the logs below.

[WARNING] {https://keyserver.ubuntu.com} throw exception: PGP server returned an error: HTTP/1.1 404 Not Found for: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x8E1AD594207B7FB2 - fallback try next client [WARNING] {https://keys.openpgp.org} throw exception: PGP server returned an error: HTTP/1.1 404 Not Found for: https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x8E1AD594207B7FB2 - fallback try next client [WARNING] [Retry #1 waiting: PT0.5S] Last address pgp.mit.edu/18.9.60.141 with problem: [java.net.SocketTimeoutException] Read timed out [WARNING] [Retry #2 waiting: PT0.75S] Last address pgp.mit.edu/18.9.60.141 with problem: [java.net.SocketTimeoutException] Read timed out [WARNING] [Retry #3 waiting: PT1.125S] Last address pgp.mit.edu/18.9.60.141 with problem: [java.net.SocketTimeoutException] Read timed out [WARNING] [Retry #4 waiting: PT1.687S] Last address pgp.mit.edu/18.9.60.141 with problem: [java.net.SocketTimeoutException] Read timed out [WARNING] [Retry #5 waiting: PT0S] Last address pgp.mit.edu/18.9.60.141 with problem: [java.net.SocketTimeoutException] Read timed out [WARNING] {https://pgp.mit.edu} throw exception: Read timed out for: https://pgp.mit.edu/pks/lookup?op=get&options=mr&search=0x8E1AD594207B7FB2 - fallback try next client [ERROR] All servers from list was failed [ERROR] PGP key https://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0x8E1AD594207B7FB2 not found on keyserver for artifact org.reflections:reflections:jar:0.9.12

It seems your public key has not been uploaded or propagated to the key servers

you may want to consider uploading the key used to sign the artifacts using this command (for example) gpg --keyserver pgp.mit.edu --send-key B94797AF54AE59B1E3C154DA8E1AD594207B7FB2

or reviewing the article https://help.ubuntu.com/community/GnuPrivacyGuardHowto

Thanks!

cmrockwell avatar Aug 25 '21 17:08 cmrockwell

This might be resolved now, can you please recheck Cris? @cmrockwell

ronmamo avatar Sep 22 '21 01:09 ronmamo

hey, this is actually still a problem: gpg --keyserver keyserver.ubuntu.com --recv-keys 0x3F2A008A91D11A7FAC4A0786F13D3E721D56BD54

gpg: key F13D3E721D56BD54: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

It seems, under no circumstances, will gpg allow me to import your key. I can download it and have it sit in a file on my computer, but I cannot import it into my keyring. Would you mind checking if the keypair on your computer correctly contains the "user ID" and see if you can re-send it?

I would expect it to report on extra information being uploaded, given that the user ID is currently missing.

gpg -Kv 0x3F2A008A91D11A7FAC4A0786F13D3E721D56BD54 should give you a complete overview of information surrounding your key that's present on your computer, i.e. v indicating verbose information which includes possibly outdated/expired parts, etc.

cobratbq avatar Jun 29 '24 00:06 cobratbq