<!DOCTYPE html>

Google Earth .deb installer PGP keys needing updating

Created by Steven Baltakatei Sandoval on 2020-01-30T17:17Z under a CC BY-SA 4.0 license and last updated on 2020-01-30T18:21Z.

Summary

As of 2020-01-30, I think the PGP keys within the Google Earth .deb installer for GNU/Linux need updating. Updating keys via wget / apt-key add command at https://www.google.com/linuxrepositories/ fixes problem.

The Problem

Today (2020-01-30), I noticed that Google Earth is unable to update on my Debian 10 machine even after running the latest installer from https://www.google.com/earth/versions/#download-pro .

$ sudo apt-get update
Ign:1 http://dl.google.com/linux/earth/deb stable InRelease
Hit:2 http://deb.debian.org/debian buster InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Get:4 http://dl.google.com/linux/earth/deb stable Release [933 B]
Get:5 http://dl.google.com/linux/earth/deb stable Release.gpg [819 B]
Hit:7 http://deb.debian.org/debian-security buster/updates InRelease
Err:5 http://dl.google.com/linux/earth/deb stable Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
Fetched 819 B in 1s (1,123 B/s)
Reading package lists...

Troubleshooting

I see that rsa4096/0x78BD65473CB3BD13 is a signing subkey of primary key rsa4096/0x7721F63BD38B4796 which can be obtained by following instructions at the Google Linux Package Signing Keys page. However, I cannot find this signing subkey within the Google Earth .deb installer (SHA256 hash: 57b6c970609dc2960e9255b08a7ddf3af2581cb7c06ff92d16820269d0b2530d ).

  • In the installer I see the primary key rsa4096/0x7721F63BD38B4796 is present within these three files but all lack the signing subkey rsa4096/0x78BD65473CB3BD13:

      google-earth-pro-stable_current_amd64/control/postinst
      google-earth-pro-stable_current_amd64/control/postrm
      google-earth-pro-stable_current_amd64/data/etc/cron.daily/google-earth-pro
    
  • PGP keys I found in the .deb installer:

      pub   dsa1024/0xA040830F7FAC5991 2007-03-08 [SC]
            Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
      uid                   [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
      sub   elg2048/0x4F30B6B4C07CB649 2007-03-08 [E]
    
      pub   rsa4096/0x7721F63BD38B4796 2016-04-12 [SC]
            Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
      uid                   [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
    
  • PGP keys from Google (specifically from here):

      pub   dsa1024/0xA040830F7FAC5991 2007-03-08 [SC]
            Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
      uid                   [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
      sub   elg2048/0x4F30B6B4C07CB649 2007-03-08 [E]
    
      pub   rsa4096/0x7721F63BD38B4796 2016-04-12 [SC]
            Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
      uid                   [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
      sub   rsa4096/0x78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
    
    • The important line here is:

        sub   rsa4096/0x78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
      

The Fix

  • Running the wget / apt-key add command posted at the Google Linux Package Signing Keys page added the signing subkey rsa4096/0x78BD65473CB3BD13 to the primary key rsa4096/0x7721F63BD38B4796 stored within my /etc/apt/trusted.gpg file, fixing the $ sudo apt-get update error:

      $ sudo apt-get update
      Hit:1 http://deb.debian.org/debian buster InRelease
      Ign:2 http://dl.google.com/linux/earth/deb stable InRelease
      Hit:3 http://deb.debian.org/debian buster-updates InRelease
      Hit:4 http://dl.google.com/linux/earth/deb stable Release
      Hit:6 http://deb.debian.org/debian-security buster/updates InRelease
      Reading package lists... Done
    

References

Side notes

Feel free to skip this section. These are some bash commands and information that I found useful while troubleshooting but aren't required to understand the problem or solution.

  1. Import PGP keys into gpg from clipboard to a temporary keyring

     $ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg --import
    

    This command, if run in bash, won't finish until you supply a linebreak ("Return") immediately followed by an End-of-Transmission (EOT) character. The EOT character can be entered by pressing the Ctrl and D characters at the same time. Before you enter the EOT character, an ascii-armored PGP key may be pasted (ex: via xclip or whatever "copy & paste" functionality your windowing system uses). This feeds gpg the PGP key for importing into the temporary keyring located at /tmp/testkeyring.gpg.

  2. Get specific key details within a specified keyring

     $ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg -k Google
    

    The -k option (an abbreviation for --list-public-keys) causes gpg to list all public keys in the specified keyring. The Google string at the end causes gpg to only list public keys that contain "Google" in their UIDs. "Google" could also be replaced by the long or short ID of a key (ex: 0x7721F63BD38B4796).

  3. Search plaintext of all files within a directory (including subdirectories).

     $ grep -ri "PGP PUBLIC KEY BLOCK" ~/Downloads/google-earth-pro-stable_current_amd64
    

    This command uses grep to search for the text string PGP PUBLIC KEY BLOCK within any text file within a directory tree starting at ~/Downloads/google-earth-pro-stable_current_amd64. This was how I found the PGP keys stored within the postinst, postrm, and google-earth-pro files.

  4. See what public keys are present within the /etc/apt/trusted.gpg keyring:

     $ gpg --no-default-keyring --keyring /etc/apt/trusted.gpg -k
    

    This command may be useful for troubleshooting issues that apt may be having if it cannot locate a specific public key for verifying newly downloaded packages. The man page for apt-key indicates that keyrings should be added to individual keyring files located within /etc/apt/trusted.gpg.d, especially since apt-key add is deprecated. Google Earth violates the Debian recommendation to store third-party pgp keys within /usr/share/keyrings.


🅭🅯🄯4.0
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.