<!DOCTYPE html>
Google Earth .deb installer PGP keys needing updating
Created by Steven Baltakatei Sandoval on 2020-01-30T17:17Z under a CC BY-SA 4.0 license and last updated on 2020-01-30T18:21Z.
Summary
As of 2020-01-30, I think the PGP keys within the Google Earth .deb installer for GNU/Linux need updating. Updating keys via wget / apt-key add command at https://www.google.com/linuxrepositories/ fixes problem.
The Problem
Today (2020-01-30), I noticed that Google Earth is unable to update on my Debian 10 machine even after running the latest installer from https://www.google.com/earth/versions/#download-pro .
$ sudo apt-get update
Ign:1 http://dl.google.com/linux/earth/deb stable InRelease
Hit:2 http://deb.debian.org/debian buster InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Get:4 http://dl.google.com/linux/earth/deb stable Release [933 B]
Get:5 http://dl.google.com/linux/earth/deb stable Release.gpg [819 B]
Hit:7 http://deb.debian.org/debian-security buster/updates InRelease
Err:5 http://dl.google.com/linux/earth/deb stable Release.gpg
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
Fetched 819 B in 1s (1,123 B/s)
Reading package lists...
Troubleshooting
I see that rsa4096/0x78BD65473CB3BD13 is a signing subkey of primary key rsa4096/0x7721F63BD38B4796 which can be obtained by following instructions at the Google Linux Package Signing Keys page. However, I cannot find this signing subkey within the Google Earth .deb installer (SHA256 hash: 57b6c970609dc2960e9255b08a7ddf3af2581cb7c06ff92d16820269d0b2530d ).
In the installer I see the primary key
rsa4096/0x7721F63BD38B4796is present within these three files but all lack the signing subkeyrsa4096/0x78BD65473CB3BD13:google-earth-pro-stable_current_amd64/control/postinst google-earth-pro-stable_current_amd64/control/postrm google-earth-pro-stable_current_amd64/data/etc/cron.daily/google-earth-proPGP keys I found in the
.debinstaller:pub dsa1024/0xA040830F7FAC5991 2007-03-08 [SC] Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 uid [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub elg2048/0x4F30B6B4C07CB649 2007-03-08 [E] pub rsa4096/0x7721F63BD38B4796 2016-04-12 [SC] Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796 uid [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>PGP keys from Google (specifically from here):
pub dsa1024/0xA040830F7FAC5991 2007-03-08 [SC] Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 uid [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub elg2048/0x4F30B6B4C07CB649 2007-03-08 [E] pub rsa4096/0x7721F63BD38B4796 2016-04-12 [SC] Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796 uid [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com> sub rsa4096/0x78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]The important line here is:
sub rsa4096/0x78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
The Fix
Running the
wget/apt-key addcommand posted at the Google Linux Package Signing Keys page added the signing subkey rsa4096/0x78BD65473CB3BD13 to the primary key rsa4096/0x7721F63BD38B4796 stored within my/etc/apt/trusted.gpgfile, fixing the$ sudo apt-get updateerror:$ sudo apt-get update Hit:1 http://deb.debian.org/debian buster InRelease Ign:2 http://dl.google.com/linux/earth/deb stable InRelease Hit:3 http://deb.debian.org/debian buster-updates InRelease Hit:4 http://dl.google.com/linux/earth/deb stable Release Hit:6 http://deb.debian.org/debian-security buster/updates InRelease Reading package lists... Done
References
Side notes
Feel free to skip this section. These are some bash commands and information that I found useful while troubleshooting but aren't required to understand the problem or solution.
Import PGP keys into
gpgfrom clipboard to a temporary keyring$ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg --importThis command, if run in
bash, won't finish until you supply a linebreak ("Return") immediately followed by an End-of-Transmission (EOT) character. The EOT character can be entered by pressing theCtrlandDcharacters at the same time. Before you enter the EOT character, an ascii-armored PGP key may be pasted (ex: viaxclipor whatever "copy & paste" functionality your windowing system uses). This feedsgpgthe PGP key for importing into the temporary keyring located at/tmp/testkeyring.gpg.Get specific key details within a specified keyring
$ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg -k GoogleThe
-koption (an abbreviation for--list-public-keys) causesgpgto list all public keys in the specified keyring. TheGooglestring at the end causesgpgto only list public keys that contain "Google" in their UIDs. "Google" could also be replaced by the long or short ID of a key (ex:0x7721F63BD38B4796).Search plaintext of all files within a directory (including subdirectories).
$ grep -ri "PGP PUBLIC KEY BLOCK" ~/Downloads/google-earth-pro-stable_current_amd64This command uses
grepto search for the text stringPGP PUBLIC KEY BLOCKwithin any text file within a directory tree starting at~/Downloads/google-earth-pro-stable_current_amd64. This was how I found the PGP keys stored within thepostinst,postrm, andgoogle-earth-profiles.See what public keys are present within the
/etc/apt/trusted.gpgkeyring:$ gpg --no-default-keyring --keyring /etc/apt/trusted.gpg -kThis command may be useful for troubleshooting issues that
aptmay be having if it cannot locate a specific public key for verifying newly downloaded packages. The man page forapt-keyindicates that keyrings should be added to individual keyring files located within/etc/apt/trusted.gpg.d, especially sinceapt-key addis deprecated. Google Earth violates the Debian recommendation to store third-party pgp keys within/usr/share/keyrings.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.