I am attempting to build my own kernel using an automated process, and I'd like to make sure that my source packages are verified. When I go to install a source package, I have seen errors similar to this:
gpgv: Signature made Fri Jan 6 17:10:11 2017 UTC using RSA key ID FDCE24FC
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux-meta_4.4.0.59.62.dsc
dpkg-source: info: extracting linux-meta in linux-meta-4.4.0.59.62
dpkg-source: info: unpacking linux-meta_4.4.0.59.62.tar.gz
I have seen this error before, but have not found an ideal workaround for it. When I search for this key on the keyservers, I see the following:
$ gpg --keyserver keyserver.ubuntu.com --search FDCE24FC
gpg: searching for "FDCE24FC" from hkp server keyserver.ubuntu.com
(1) Luis Henriques <lhenriques@suse.de>
Luis Henriques <henrix@camandro.org>
Luis Henriques <lhenriques@suse.com>
Luis Henriques <luis.henriques@canonical.com>
4096 bit RSA key FDCE24FC, created: 2011-12-10
(2) Luis Henriques <luis.henriques@canonical.com>
4096 bit RSA key FDCE24FC, created: 2014-06-16 (revoked)
This is someone's personal key, rather than an expected upstream shared release signing key.
Is there a way to fetch all source package maintainers keys into the apt keyring? I'd like to have some kind of verification on whether my source package is a valid untampered-with source package.
Does Canonical maintain a package which contains all upstream users' PGP keys? Is there a automatable solution to this? Since these files are probably being delivered over HTTP, I have no guarantees as to the true origin of them, and this is kind of important when dealing with kernel packages.
