Keywords: GPG | Digital Signature | Public Key Management | Encryption Verification | Key Servers
Abstract: This article provides an in-depth analysis of the "Can't check signature: public key not found" error during GPG decryption processes. It explains the root cause stemming from missing signer's public key and presents systematic solutions including obtaining keys from senders, importing from key servers, and direct key reception using key IDs. Through practical case studies and step-by-step implementation guides, readers will master the core mechanisms of GPG signature verification and troubleshooting methodologies.
Error Phenomenon and Root Cause
When using GPG for file decryption, users frequently encounter a typical error message: gpg: Can't check signature: public key not found. This error occurs after the decryption command executes, where the file decrypts successfully but signature verification fails.
From a technical perspective, the fundamental cause of this error is the absence of the signer's public key in the local keyring. GPG verifies digital signatures during decryption to ensure file integrity and source authenticity. When the system cannot locate the corresponding public key in the local keyring, it throws this error.
Detailed GPG Signature Verification Mechanism
GPG employs an asymmetric encryption system where signature verification involves several critical steps: first, the sender generates a digital signature for the file using their private key; then, the recipient must use the sender's public key to verify this signature. If the public key is not present in the recipient's keyring, the verification process cannot complete.
In practical operations, GPG typically outputs the key ID used for signing, for example: using RSA key A9C5DF4D22E99998D9875A5110C01C5A2F6059E7. This key ID serves as crucial information for obtaining the correct public key.
Solutions and Implementation Steps
Obtaining Public Key Directly from Sender
The most straightforward solution is to obtain the public key directly from the file sender. The sender should provide the public key file (typically in .asc or .gpg format), which the recipient can import using:
gpg --import key.ascOr using GPG2 version:
gpg2 --import key.ascAfter successful import, re-executing the decryption command will complete signature verification.
Search and Import from Key Servers
If the sender has uploaded their public key to a public key server, it can be directly obtained through search functionality. Commonly used key servers include MIT key server:
gpg2 --keyserver https://pgp.mit.edu/ --search-keys <sender_name_or_address>This command searches the key server for public keys matching the sender's name or address and automatically imports them to the local keyring upon finding.
Direct Key Reception Using Key ID
When the GPG error message explicitly provides the key ID, the public key can be directly received from key servers using:
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7This method is particularly useful for scenarios like software package verification, as demonstrated in the Apache Tomcat release verification case.
Practical Case Analysis and Verification
Consider a specific application scenario: verifying Apache Tomcat release packages. A user encounters public key not found error when executing verification command:
gpg --verify apache-tomcat-9.0.16-windows-x64.zip.asc apache-tomcat-9.0.16-windows-x64.zipThe error message provides key ID A9C5DF4D22E99998D9875A5110C01C5A2F6059E7. Using the receive keys command:
gpg --receive-keys A9C5DF4D22E99998D9875A5110C01C5A2F6059E7After successfully importing the public key, re-verification yields successful results:
gpg: Good signature from "Mark E D Thomas <markt@apache.org>"Extended Applications in System Integration Scenarios
Similar issues arise in system integration scenarios like automated updates. For example, during Fedora CoreOS system upgrades, rpm-ostree might report: Can't check signature: public key not found. This indicates the system lacks necessary GPG keys to verify update package signatures.
The solution is similar, requiring assurance that the system contains all necessary public keys. For system-level applications, this typically involves maintaining required GPG keys through system package managers or dedicated key management tools.
Best Practices and Important Considerations
When managing GPG keys, follow these best practices: regularly update keyrings to include latest public keys from frequent contacts; pre-import public keys of project maintainers for important projects; pay attention to key trust levels—while signature verification works after importing public keys, establishing trust relationships is necessary for full signature trust.
When seeing WARNING: This key is not certified with a trusted signature!提示, it indicates that although signature verification passed, the key hasn't been marked as fully trusted. This requires users to manually establish trust networks.