Signature verification issues in Trezor Suite

Hi,
I am using Ubuntu(POP!_OS), and when I run " gpg --import satoshilabs-2021-signing-key.asc ", I get the following message.

[email protected]:~$ gpg --import /home/desktop-root/DOKU/satoshilabs-2021-signing-key.asc
gpg: key E21B6950A2ECB65C: 1 signature not checked due to a missing key
gpg: key E21B6950A2ECB65C: “SatoshiLabs 2021 Signing Key” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
[email protected]:~$ gpg --import /home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I think I’m having problems with this operation. What action can I take to improve this problem?

1 Like

[email protected]:~$ gpg --import /home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage.asc

you’re trying to import the app instead of verifying. use gpg --verify

1 Like

Thanks for the advice. The message “[unknown]” and “WARNING” is displayed. What can I do to fix this?

[email protected]:~$ gpg --verify /home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage.asc
gpg: assuming signed data in ‘/home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage’
gpg: Signature made 2021年05月07日 22時39分07秒 JST
gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
gpg: Good signature from “SatoshiLabs 2021 Signing Key” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C

1 Like

A better option is to ignore the warning.

What the warning is saying is that the signature is OK, but we have no way of knowing where this key came from.

If you are sure that you have the right key, you can silence the warning by signing the key yourself (basically saying “yes, I know this is the right key”)
gpg --sign-key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C

1 Like

Thank you for clarifying @matejcik!

Where may the signing key be downloaded from aside from https://suite.trezor.io?

Because both the Trezor Suite application Trezor-Suite-21.6.2-mac.dmg and the signing key, satoshilabs-2021-signing-key.asc, are downloaded from the same source, https://suite.trezor.io, it seems like best practice to download the signing key from a separate official Trezor site/source.

Theoretically, if the site the app download is from is not legitimate, the signing key could also be illegitimate as it comes from the same site.

The signing key can be cross-referenced from the Trezor Suite GitHub releases page.

Is there a reason the SatoshiLabs 2021 Signing Key is only provided for some releases and not others?

After running the sign-key command and then the verify command, the warning message persists, This key is not certified with a trusted signature!

Sign Command

gpg --sign-key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C

Sign Output

pub rsa4096/E21B6950A2ECB65C
created: 2021-01-04 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). SatoshiLabs 2021 Signing Key

gpg: no default secret key: No secret key

Key not changed so no update needed.

This indicates that gpg is not seeing your own secret key, so it can’t sign the Satoshi key.

There’s several options to proceed:

  • you can create the secret key and sign again
  • you can google this error message, as apparently it can sometimes happen even if you do have a secret key
  • you can instead set full trust to the key manualy, or for one of the keys with which it is signed

All of these are out of scope for this forum unfortunately, as we’re not really qualified to assist with gpg, which is a pretty complex program…

1 Like

Unfortunately the only singing key I can see on the github release page is a link to the key hosted on trezor.io

@SatoshiLabs, why not put the singing key or at least its fingerprint somewhere on github or another externally hosted website?

Why would that help?

You have two independent sources:

  • the signature on GitHub
  • the key on trezor.io

An attacker would need to subvert both places to get you to download a bad package. If the key were on GitHub also, they would just need to subvert GitHub.

Thanks @matejcik I was going at it the wrong way, trying to find the key on github because I had started by downloading the app and signature on trezor.io. But as you say it is indeed possible to get the files from independent sources if you do it the other way around, taking the signature on github.

Why not directly provide the signature as a link to github on the trezor.io download page? It would make it easier to do the verification right for newcomers.