Categories
DevOps

How to inspect remote GnuPG signing key

Inspect remote GnuPG signing key.

Inspect GitLab package repository signing key which is published using ASCII-armored format.

$ curl --location --silent https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey | file --brief --mime -
application/pgp-keys; charset=us-ascii
$ curl --location --silent https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey | file --brief -
PGP public key block Public-Key (old)

Signing key details.

$ gpg --import-options show-only --import <(curl --location --silent https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey)
pub   rsa4096 2020-03-02 [SC] [expires: 2022-03-02]
      F6403F6544A38863DAA0B6E03F01618A51312F3F
uid                      GitLab B.V. (package repository signing key) <packages at gitlab.com>
sub   rsa4096 2020-03-02 [E] [expires: 2022-03-02]

Inspect LibeWolf package repository signing key which is published using binary key ring.

$ wget --quiet --output-document - https://deb.librewolf.net/keyring.gpg | file --brief --mime -
application/pgp-keys; charset=binary
$ wget --quiet --output-document - https://deb.librewolf.net/keyring.gpg | file --brief  -
PGP/GPG key public ring (v4) created Tue Oct  5 14:49:11 2021 RSA (Encrypt or Sign) 4096 bits MPI=0xbceecfa2b61720fd...

Signing key details.

$ gpg --import-options show-only --import <(wget --quiet --output-document - https://deb.librewolf.net/keyring.gpg)
pub   rsa4096 2021-10-05 [SC] [expires: 2024-10-04]
      034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3
uid                      Malte J├╝rgens <maltejur at dismail.de>
sub   rsa4096 2021-10-05 [E] [expires: 2024-10-04]

Simple as that.