security - is this my public key? my private key? or the keys of the program I'm using?












5














I asked a recent, separate Ask Ubuntu question with the following in the body:



W: An error occurred during the signature verification. 
The repository is not updated and the previous index files will be used.
GPG error: https://dl.winehq.org/wine-builds/ubuntu bionic InRelease:
The following signatures couldn't be verified
because the public key is not available: NO_PUBKEY 76F1A20FF987672F


As you can see part of my error message exposes PUBKEY 76F1A20FF987672F. Was this the public key of WINE, or is this my own public key?



Most importantly, is this PUBKEY 76F1A20FF987672F information I should NOT be posting on a public forum (this one)?



I assume a private key is the only thing I would never want to divulge. I'm reading Wikipedia's Public-key cryptography page now, but it's a little overwhelming.










share|improve this question




















  • 4




    Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
    – jdv
    Dec 20 at 15:48








  • 1




    @jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
    – Pavel Sayekat
    Dec 20 at 15:50








  • 1




    How does asymmetric encryption work?
    – RoVo
    Dec 20 at 15:51






  • 1




    Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
    – TripeHound
    Dec 20 at 21:09










  • Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
    – Jason Hunter
    Dec 20 at 21:48


















5














I asked a recent, separate Ask Ubuntu question with the following in the body:



W: An error occurred during the signature verification. 
The repository is not updated and the previous index files will be used.
GPG error: https://dl.winehq.org/wine-builds/ubuntu bionic InRelease:
The following signatures couldn't be verified
because the public key is not available: NO_PUBKEY 76F1A20FF987672F


As you can see part of my error message exposes PUBKEY 76F1A20FF987672F. Was this the public key of WINE, or is this my own public key?



Most importantly, is this PUBKEY 76F1A20FF987672F information I should NOT be posting on a public forum (this one)?



I assume a private key is the only thing I would never want to divulge. I'm reading Wikipedia's Public-key cryptography page now, but it's a little overwhelming.










share|improve this question




















  • 4




    Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
    – jdv
    Dec 20 at 15:48








  • 1




    @jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
    – Pavel Sayekat
    Dec 20 at 15:50








  • 1




    How does asymmetric encryption work?
    – RoVo
    Dec 20 at 15:51






  • 1




    Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
    – TripeHound
    Dec 20 at 21:09










  • Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
    – Jason Hunter
    Dec 20 at 21:48
















5












5








5







I asked a recent, separate Ask Ubuntu question with the following in the body:



W: An error occurred during the signature verification. 
The repository is not updated and the previous index files will be used.
GPG error: https://dl.winehq.org/wine-builds/ubuntu bionic InRelease:
The following signatures couldn't be verified
because the public key is not available: NO_PUBKEY 76F1A20FF987672F


As you can see part of my error message exposes PUBKEY 76F1A20FF987672F. Was this the public key of WINE, or is this my own public key?



Most importantly, is this PUBKEY 76F1A20FF987672F information I should NOT be posting on a public forum (this one)?



I assume a private key is the only thing I would never want to divulge. I'm reading Wikipedia's Public-key cryptography page now, but it's a little overwhelming.










share|improve this question















I asked a recent, separate Ask Ubuntu question with the following in the body:



W: An error occurred during the signature verification. 
The repository is not updated and the previous index files will be used.
GPG error: https://dl.winehq.org/wine-builds/ubuntu bionic InRelease:
The following signatures couldn't be verified
because the public key is not available: NO_PUBKEY 76F1A20FF987672F


As you can see part of my error message exposes PUBKEY 76F1A20FF987672F. Was this the public key of WINE, or is this my own public key?



Most importantly, is this PUBKEY 76F1A20FF987672F information I should NOT be posting on a public forum (this one)?



I assume a private key is the only thing I would never want to divulge. I'm reading Wikipedia's Public-key cryptography page now, but it's a little overwhelming.







security encryption authentication gnupg






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 20 at 21:53









marcelm

1446




1446










asked Dec 20 at 15:45









Jason Hunter

330310




330310








  • 4




    Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
    – jdv
    Dec 20 at 15:48








  • 1




    @jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
    – Pavel Sayekat
    Dec 20 at 15:50








  • 1




    How does asymmetric encryption work?
    – RoVo
    Dec 20 at 15:51






  • 1




    Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
    – TripeHound
    Dec 20 at 21:09










  • Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
    – Jason Hunter
    Dec 20 at 21:48
















  • 4




    Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
    – jdv
    Dec 20 at 15:48








  • 1




    @jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
    – Pavel Sayekat
    Dec 20 at 15:50








  • 1




    How does asymmetric encryption work?
    – RoVo
    Dec 20 at 15:51






  • 1




    Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
    – TripeHound
    Dec 20 at 21:09










  • Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
    – Jason Hunter
    Dec 20 at 21:48










4




4




Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
– jdv
Dec 20 at 15:48






Most apps wouldn't (i.e., shouldn't) show a secret key in this form in a warning or error message, and it would be a mistake to do so. It is safe to divulge this public key.
– jdv
Dec 20 at 15:48






1




1




@jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
– Pavel Sayekat
Dec 20 at 15:50






@jason-hunter That's Wine's public key and no one shares their private key, they only shares public key.
– Pavel Sayekat
Dec 20 at 15:50






1




1




How does asymmetric encryption work?
– RoVo
Dec 20 at 15:51




How does asymmetric encryption work?
– RoVo
Dec 20 at 15:51




1




1




Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
– TripeHound
Dec 20 at 21:09




Although it turns out to be safe to post, it is probably worth pointing out that if you had any concerns that it might have been a private key, you probably shouldn't have posted the real value, just in case it was private.
– TripeHound
Dec 20 at 21:09












Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
– Jason Hunter
Dec 20 at 21:48






Sometimes I play dumb in my questions, as a courtesy to others who may not know such things (likely story, eh) and to obtain a more complete answer. But, yes your sentiment is absolutely correct. I wouldn't do, or advocate, posting publicly what ought not be posted publicly.
– Jason Hunter
Dec 20 at 21:48












2 Answers
2






active

oldest

votes


















11














76F1A20FF987672F


No! This is the keyID of the key-pair from Winehq.org!!



This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.



The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)



WineHQ



WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.



See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.



Hope this helps






share|improve this answer























  • Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
    – WBT
    Dec 21 at 17:26





















4














76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.



The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:




wget -nc https://dl.winehq.org/wine-builds/winehq.key
sudo apt-key add winehq.key



Running both of those commands should make apt-get update happy again.



Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:



$ gpg --list-packets < winehq.key | less


The interesting part of the output is right at the beginning:



# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1544460984, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 76F1A20FF987672F
# off=400 ctb=b4 tag=13 hlen=2 plen=39
:user ID packet: "WineHQ packages <wine-devel@winehq.org>"


The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.



"created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:



$ date --date='@1544460984'
Mon Dec 10 11:56:24 EST 2018


It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.



The raw contents of winehq.key look like this:



-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
[48 more lines of base64]
-----END PGP PUBLIC KEY BLOCK-----


You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.



-----BEGIN PGP PRIVATE KEY BLOCK-----

lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
[76 more lines of base64]
-----END PGP PRIVATE KEY BLOCK-----


(That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1103378%2fsecurity-is-this-my-public-key-my-private-key-or-the-keys-of-the-program-im%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    11














    76F1A20FF987672F


    No! This is the keyID of the key-pair from Winehq.org!!



    This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.



    The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)



    WineHQ



    WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.



    See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.



    Hope this helps






    share|improve this answer























    • Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
      – WBT
      Dec 21 at 17:26


















    11














    76F1A20FF987672F


    No! This is the keyID of the key-pair from Winehq.org!!



    This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.



    The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)



    WineHQ



    WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.



    See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.



    Hope this helps






    share|improve this answer























    • Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
      – WBT
      Dec 21 at 17:26
















    11












    11








    11






    76F1A20FF987672F


    No! This is the keyID of the key-pair from Winehq.org!!



    This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.



    The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)



    WineHQ



    WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.



    See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.



    Hope this helps






    share|improve this answer














    76F1A20FF987672F


    No! This is the keyID of the key-pair from Winehq.org!!



    This is not your public (or private) key. You probably don't have one yet. If you ever need a private-public key pair, you will have to create them.



    The keyID is like the number on a physical key. the same number is also on a lock the key belongs to. There is no harm in posting this information in a public forum. The private key of winehq is safely with the... (guess who?)



    WineHQ



    WineHQ changed their private-public key combination. Why? The same reason people change their locks. Physical keys (and digital keys) get lost (or deleted) or stolen.



    See signature verification error for wine - index files failed to download - changing mirror doesn't help for how to download the new public key from WineHQ. Once you have the new public key, the update will go through. The new public key will verify that the wine update is coming from the WineHQ and noone else. That is because only WineHQ has the matching private key.



    Hope this helps







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Dec 20 at 21:10

























    answered Dec 20 at 15:56









    user68186

    15.3k84665




    15.3k84665












    • Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
      – WBT
      Dec 21 at 17:26




















    • Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
      – WBT
      Dec 21 at 17:26


















    Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
    – WBT
    Dec 21 at 17:26






    Comment: The downside of regularly changing the keys is that your security level effectively goes down to the protection level for the communications channel(s) you use to communicate the new public key to your customers (or those channels you don't currently use, but through which customers would believe an imposter executing an attack with social engineering).
    – WBT
    Dec 21 at 17:26















    4














    76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.



    The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:




    wget -nc https://dl.winehq.org/wine-builds/winehq.key
    sudo apt-key add winehq.key



    Running both of those commands should make apt-get update happy again.



    Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:



    $ gpg --list-packets < winehq.key | less


    The interesting part of the output is right at the beginning:



    # off=0 ctb=99 tag=6 hlen=3 plen=397
    :public key packet:
    version 4, algo 1, created 1544460984, expires 0
    pkey[0]: [3072 bits]
    pkey[1]: [17 bits]
    keyid: 76F1A20FF987672F
    # off=400 ctb=b4 tag=13 hlen=2 plen=39
    :user ID packet: "WineHQ packages <wine-devel@winehq.org>"


    The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.



    "created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:



    $ date --date='@1544460984'
    Mon Dec 10 11:56:24 EST 2018


    It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.



    The raw contents of winehq.key look like this:



    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
    R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
    [48 more lines of base64]
    -----END PGP PUBLIC KEY BLOCK-----


    You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.



    -----BEGIN PGP PRIVATE KEY BLOCK-----

    lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
    gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
    [76 more lines of base64]
    -----END PGP PRIVATE KEY BLOCK-----


    (That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)






    share|improve this answer


























      4














      76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.



      The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:




      wget -nc https://dl.winehq.org/wine-builds/winehq.key
      sudo apt-key add winehq.key



      Running both of those commands should make apt-get update happy again.



      Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:



      $ gpg --list-packets < winehq.key | less


      The interesting part of the output is right at the beginning:



      # off=0 ctb=99 tag=6 hlen=3 plen=397
      :public key packet:
      version 4, algo 1, created 1544460984, expires 0
      pkey[0]: [3072 bits]
      pkey[1]: [17 bits]
      keyid: 76F1A20FF987672F
      # off=400 ctb=b4 tag=13 hlen=2 plen=39
      :user ID packet: "WineHQ packages <wine-devel@winehq.org>"


      The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.



      "created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:



      $ date --date='@1544460984'
      Mon Dec 10 11:56:24 EST 2018


      It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.



      The raw contents of winehq.key look like this:



      -----BEGIN PGP PUBLIC KEY BLOCK-----

      mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
      R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
      [48 more lines of base64]
      -----END PGP PUBLIC KEY BLOCK-----


      You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.



      -----BEGIN PGP PRIVATE KEY BLOCK-----

      lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
      gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
      [76 more lines of base64]
      -----END PGP PRIVATE KEY BLOCK-----


      (That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)






      share|improve this answer
























        4












        4








        4






        76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.



        The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:




        wget -nc https://dl.winehq.org/wine-builds/winehq.key
        sudo apt-key add winehq.key



        Running both of those commands should make apt-get update happy again.



        Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:



        $ gpg --list-packets < winehq.key | less


        The interesting part of the output is right at the beginning:



        # off=0 ctb=99 tag=6 hlen=3 plen=397
        :public key packet:
        version 4, algo 1, created 1544460984, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [17 bits]
        keyid: 76F1A20FF987672F
        # off=400 ctb=b4 tag=13 hlen=2 plen=39
        :user ID packet: "WineHQ packages <wine-devel@winehq.org>"


        The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.



        "created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:



        $ date --date='@1544460984'
        Mon Dec 10 11:56:24 EST 2018


        It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.



        The raw contents of winehq.key look like this:



        -----BEGIN PGP PUBLIC KEY BLOCK-----

        mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
        R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
        [48 more lines of base64]
        -----END PGP PUBLIC KEY BLOCK-----


        You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.



        -----BEGIN PGP PRIVATE KEY BLOCK-----

        lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
        gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
        [76 more lines of base64]
        -----END PGP PRIVATE KEY BLOCK-----


        (That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)






        share|improve this answer












        76F1A20FF987672F is an identifying code number for both the public and private key that is associated with the releases stored in this APT repository. It is not a complete key - neither public nor private - and it is useless by itself.



        The normal thing to do with one of these code numbers is feed it to gpg --recv-keys to load the complete public key into your local key ring, but this particular public key isn't on the usual "key servers". There are instructions on https://wiki.winehq.org/Ubuntu for how to get it:




        wget -nc https://dl.winehq.org/wine-builds/winehq.key
        sudo apt-key add winehq.key



        Running both of those commands should make apt-get update happy again.



        Running just the first command will give you a file containing the complete public key corresponding to the identifying code number. You can learn something about its contents with this command:



        $ gpg --list-packets < winehq.key | less


        The interesting part of the output is right at the beginning:



        # off=0 ctb=99 tag=6 hlen=3 plen=397
        :public key packet:
        version 4, algo 1, created 1544460984, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [17 bits]
        keyid: 76F1A20FF987672F
        # off=400 ctb=b4 tag=13 hlen=2 plen=39
        :user ID packet: "WineHQ packages <wine-devel@winehq.org>"


        The "keyid" is the same identifying code number, and the "user ID" is an email address associated with WineHQ. However, don't take that for granted -- whoever generated this key could have set the "user ID" to anything at all. The normal way to determine whether a PGP key belongs to the person or organization you think it does is with the "web of trust", but this key isn't in the web of trust at all, so we have to rely on the fact that we got it from an HTTPS website belonging to the Wine project. This is probably good enough.



        "created 1544460984" tells you when the key was created, but in an unhelpful way: that number is a count of seconds since the Unix epoch. You can turn it into something human-readable with the date command:



        $ date --date='@1544460984'
        Mon Dec 10 11:56:24 EST 2018


        It was created just ten days ago (as of when I'm writing this). This is probably why you were getting errors from APT -- they changed their key quite recently. This is a suspicious thing to have happen, but there's a note on https://wiki.winehq.org/Ubuntu saying that they did change their key, so it's probably legit, unless the entire winehq.org site has been compromised.



        The raw contents of winehq.key look like this:



        -----BEGIN PGP PUBLIC KEY BLOCK-----

        mQGNBFwOmrgBDAC9FZW3dFpew1hwDaqRfdQQ1ABcmOYu1NKZHwYjd+bGvcR2LRGe
        R5dfRqG1Uc/5r6CPCMvnWxFprymkqKEADn8eFn+aCnPx03HrhA+lNEbciPfTHylt
        [48 more lines of base64]
        -----END PGP PUBLIC KEY BLOCK-----


        You can see that this is much larger than the code number. For comparison, a PGP secret key looks something like this. It's even bigger.



        -----BEGIN PGP PRIVATE KEY BLOCK-----

        lQVYBFwb3HkBDACz89KGuIp/A7whjsCVH8qZM/HL5iTesD/4pncO770Z7y15sIJx
        gN+JU/SShGUPPF5oWJqJyYIINkrlgBNYtYg1tfGN0hjE+IVefrrOgYGCdyiEJEKc
        [76 more lines of base64]
        -----END PGP PRIVATE KEY BLOCK-----


        (That's a key I created just for the sake of writing this answer, never used to sign or encrypt anything, and immediately destroyed, even though you probably can't do anything interesting if you only have the first 96 bits of a PGP secret key.)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 20 at 18:31









        zwol

        65958




        65958






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1103378%2fsecurity-is-this-my-public-key-my-private-key-or-the-keys-of-the-program-im%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Сан-Квентин

            8-я гвардейская общевойсковая армия

            Алькесар