Gpg: Can't check signature: No public key

Hi everyone,

As it’s showing red on TPM, I once tried OEM factory reset which I’ve done few times earlier also. As I do the factory reset, I’m getting the TOTP/HOTP verification success. Whereas at the time of attempting default boot, I’m getting the below issue.

Attempting default boot...

gpg: Signature made <DATE>
gpg:                          using RSA key <KEY>
gpg: Can't check signature: No public key
Invalid signature on kexec boot params
!!!!! Failed default boot
New value of PCR[4]: ******....
!!!!! Starting recovery shell

As I’m trying various options, I once got the following error also:

Verifying presence of GPG card...

Got error 'Authentication failed (Incorrect Password)' (0x1) from TPM_IncrementCounter.
Counter increment failed
Failed to sing default config; Please Enter to continue

I’m entering the computer recently from last few days using Options>Boot options> Ignore tampering and force a boot (Unsafe!).

Could anyone please help? I think @Kyle_Rankin or @joao.azevedo or @nicole.faerber might help on this. Please take a look into this issue. Any help is greatly appreciated.

Thank you,
Priyatham

Email support would be a better support avenue in general than this forum if you want timely answers, but I’ll see if I can help here. If you have performed OEM Factory Resets and they seem to work without error, then I would examine whether there are problems with your /boot partition that might make it read-only. The “no public key” error seems to indicate that the keyring in PureBoot is empty. You can check that by going to the GPG menu under Settings and getting GPG info. If your OEM Factory Reset was successful you should see a single key in there that corresponds to the new private keys that were generated on your Librem Key.

1 Like

I checked that and it’s not empty. There’s an OEM-generated key. Also, I created a custom GPG key using all the instructions mentioned at this link: https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#generate-gpg-keys-on-your-computer. When I checked the list of keys then I have 2 in the pubring. But still, it did give the same error that I mentioned above. I even deleted the first key using gpg --delete-key <key-ID> where I provided the ID of the first OEM-generated key. I listed using the keys using the GPG menu in the next time where I found the key that I generated. But, still I got the same error after all.

I thought to ask here in forum because it might help someone else who face such an issue… :slightly_smiling_face:

Oh sorry, I misread all the errors. It simply looks like for some reason the signatures on the files in /boot are wrong (possibly due to an update possibly due to something else). An OEM Factory Reset is supposed to replace all of that with new signatures. Could you please try that one last time and make note of any errors or warnings that might be output to the screen during the process? After it completes you should be able to just boot into the OS.

I did the OEM Factory Reset as you instructed again @Kyle_Rankin . These are the images for outputs;

As i started OEM Factory Reset:

Then it says it’s all set:

Then as i generate the TOTP/HOTP secret, the following same error comes at last:

As you guessed, in the first image, there’s an error regarding files in /boot. It was saying:
`Unable to locate /boot files in any mounted disk’

And finally the same “No public key” and “Invalid signature on kexec boot params” errors. Please point me what can i do to solve my issue.

Thanks a lot for your responses…

Bingo.

There is some problem with the /boot file system. Possibly a corrupted file, possibly a file system that needs fsck run on it. If you are comfortable with the command line you could investigate the state of that file system and run fsck using the PureBoot recovery console. If you aren’t comfortable with that but can still boot into your OS in warning mode, then I would investigate using the GUI Gnome Disks tool and see what it thinks is going on with /boot.

If it doesn’t make any power difference if we use GUI Gnome disk compared to fsck, we might prefer to go that path. otherwise, i’m comfortable with the command line also… If i could go ahead with recovery console, and fsck tool what commands do you suggest me… I’m on it…

On the command line then, I’d first use df to see if /boot is even mounted. If it is, then ls /boot to see if you can read it, then touch /boot/test to see if you can write to it.

If it is not mounted, then see if /dev/sda1 exists and if so, fsck /dev/sda1 and see if it returns any errors or complaints. Once it completes, mount /boot and see if that works and whether ls /boot returns any files and touch /boot/test works.

Is this a standard PureOS install? Did you reinstall the OS at any point?

It’s a standard PureOS install. And i got a roadblock in the second step only of the steps you mentioned. As i tried, touch /boot/test , i got the error:

touch: /boot/test: Read-only file system

@Kyle_Rankin I don’t even have the /dev/sda1 as you asked.

What do you think is wrong with my /boot ? What further steps do you suggest me to take?

Thanks…

OK, in your case the boot device is /dev/nvme0n1p1. I would:

umount /boot
fsck /dev/nvme0n1p1
mount /boot
touch /boot/test

If all of that works, and you can touch /boot/test, then rm /boot/test and then perform a new OEM Factory Reset

1 Like

I would be cautious about posting your secret in an open forum (or indeed posting it anywhere). I recommend always erasing QR codes completely from any image posted unless you know what the QR code is leaking.

To be clear, merely holding my iPhone up to the web browser window caused it to offer to add your secret to my repository of secrets. (For some reason it didn’t work on Linux - didn’t recognise the presence of a QR code - but I’m sure it could be made to work.)

1 Like

Thank you for the helpful commands. As i try the fsck dev/nvme0n1p1, it throws an error;

fsck (busybox 1.32.0)
fsck: fsck.auto: No such file or directory

But we can see the nvme0n1p1 present using ls /dev in it’s below list. @Kyle_Rankin What do you think is wrong here?

Thank you so much @irvinewade for bringing this to my notice. I’ll be very cautious to do so from next time. Please look at the above recent issue if you can give any advise.

Or maybe you should go back and remove or edit and replace that image, followed by regenerating the secret key.

Maybe try

fsck -t ext4 /dev/nvme0n1p1

(assuming that the /boot file system is indeed of type ext4)

1 Like

Okayy sure. That’ll be good. I did so… Thanks!

This also throws the similar error:

fsck: fsck.ext4: No such file or directory

Maybe the/boot is of not ext4 type. Can we know what’s it’s type using any command?

Try
fsck -t ext2 /dev/nvme0n1p1
instead.

blkid /dev/nvme0n1p?

if the blkid command exists in that shell.

Similar error with this also…