X signatures not checked due to missing keys

ring · July 10, 2024, 11:23am

To check the authenticity of a downloaded program I imported the public key of the supplier via command prompt on Windows 11.
The message printed starts with
gpg: key KEYALPHAANDNUMMERIC: 56 signatures not checked due to missing keys

The.public key of gpgwin4 (signature_key.asc) shows multiple signatures not checked due to missing keys after import too.

Have these signatures just expired, are they not relevant for checking the authenticity, is another action from my side necessary or is something else going on?

Thanking you a lot for your kind reply,

ring

cklassen · July 11, 2024, 10:51am

Hi @ring and welcome to this community!

It’s strange that the file has so many signatures. Usually developers renew their key and add only a signature with their updated key. And as many as 56 signatures seems also to be a lot since you usually update your key every few years (I don’t know if there is a case where you would do that more than once a year).

Do you mind to tell me which program you downloaded and where you got it (a PM would also be fine)?

ring · July 11, 2024, 2:52pm

Hello @cklassen,

Pleased to meet you.

I did not check the file itself, I had just imported the public key (.asc) of the developer.
My question is not a question about the supplier of this program.
The message:
gpg: key KEYALPHAANDNUMMERIC: x signatures not checked due to missing keys
is also shown when importing the public key of gpgwin4 itself.

This is the entire message:

gpg: key KEYALPHAANDNUMMERIC: 56 signatures not checked due to missing keys
gpg: key KEYALPHAANDNUMMERIC: "NameOfProgram <email@domain.tld>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

(In this example I had already imported the key.)

Does this make my question more clear?

Kind regards and thanking you if you are willing to reply,

ring

h4X0R · July 11, 2024, 6:53pm

Hi,
gpg is informing you that the public key you have imported has been signed by 56 others. To verify those signatures, you’d need to import 56 more public keys, belonging to each of those individuals. Some may be expired and some may not be. Unless you already trust any of those other 56 individuals it is quite irrelevant to you.

You can strip out those signatures, leaving only the self-signature of the public key you imported by:

gpg --edit-key <key-ID>
minimize
save

now if you do

gpg --check-sigs <key-ID>

you will see only the self-signatures.