無法驗證 linux，即使在下載密鑰後我得到“沒有公鑰”

按照這些說明，我下載並解壓了核心。 https://priyachalakkal.wordpress.com/2013/01/19/verifying-digital-signature-using-gpg/

然後我嘗試驗證簽名，但出現意外錯誤。這不是記錄基本方法的站點所描述的成功或失敗場景之一。

我需要提供一個命令行標誌來告訴它在哪裡尋找公鑰？

~# gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 79BE3E4300411886
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 79BE3E4300411886: public key "Linus Torvalds <torvalds@kernel.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

~#  gpg --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Can't check signature: No public key

更新 1：根據@StephenKitt 的回答，我嘗試獲取第一條消息中指示的密鑰（為了讓它找到我必須指定密鑰伺服器的使用者 ID），但結果不是預期的：

~# gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

~# gpg --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!

gpg：沒有跡象表明簽名屬於所有者。主鍵指紋：647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E

更新 2：通過Google搜尋，我能夠弄清楚如何處理不受信任的簽名警告（請參閱相應答案中對斯蒂芬的評論/回复）

~# gpg2 --tofu-policy good 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman <gregkh@linuxfoundation.org>> to good.
gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman <gregkh@kernel.org>> to good.
gpg: Setting TOFU trust policy for new binding <key:     647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>> to good.

~# gpg2 --trust-model tofu --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" [full]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [full]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" [full]
gpg: gregkh@linuxfoundation.org: Verified 1 signatures in the past 0 seconds.
Encrypted 0 messages.
gpg: gregkh@kernel.org: Verified 1 signatures in the past 0 seconds.  Encrypted
0 messages.
gpg: greg@kroah.com: Verified 1 signatures in the past 0 seconds.  Encrypted
0 messages.

你沒有正確的鑰匙；5.6.9 存檔由 Greg Kroah-Hartman 簽名，而不是 Linus。跑步

gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E

將允許您驗證存檔。（這是您第二次gpg呼叫的指紋。）

檢索密鑰後收到的消息表明兩件事：

• 檔案的簽名是好的（“Good signature from” …）；
• 但是您沒有證據證明您下載的密鑰確實是 Greg 的。

基本上，這意味著您可以信任存檔，只要您信任密鑰。GPG 維護一個信任數據庫，該數據庫跟踪從您的密鑰到其他人的連結；大多數人（包括你）都沒有。這是基於信任網路的，作為通用工具被認為是不切實際的；在大多數情況下，“首次使用信任”（TOFU）更簡單且同樣有用。您可以使用選項更改信任模型--trust-model；有關詳細資訊（和討論），請參閱GnuPG 手冊。

引用自：https://unix.stackexchange.com/questions/607615