Trouble with keys when updating RVM

I was about to update my pod to version 0.7.13.0 but run into issues with the signing keys of RVM.
It says there is no public key, but when I import the public keys from mpapis and pkuczynski and relaunch the RVM update command, it still says keys are missing.
My pod is installed on CentOS7 server.
I am running pgp version 2.0.22 (not the version that seems to be bugged)

gpg2 --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright © 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Full output after rvm get latest when logged in with diaspora install account:

[root@ns7 diaspora]# su diaspora
[diaspora@ns7 ~]$ cd diaspora/
[diaspora@ns7 diaspora]$ rvm get latest
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /home/diaspora/.rvm/archives/rvm-installer.asc
gpg: Signature made Tue 23 Jul 2019 11:59:45 PM CEST using RSA key ID 39499BDB
gpg: Can’t check signature: No public key
Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).
GPG signature verification failed for ‘/home/diaspora/.rvm/archives/rvm-installer’ - ‘https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc’! Try to install GPG v2 and then fetch the public key:
gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
or if it fails:
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
the key can be compared with:
https://rvm.io/mpapis.asc
https://keybase.io/mpapis
NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.
bash: return: _ret: numeric argument required

output after importing public keys:

gpg --keyserver hkp://pgp.mit.edu --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: requesting key D39DC0E3 from hkp server pgp.mit.edu
gpg: requesting key 39499BDB from hkp server pgp.mit.edu
gpg: key D39DC0E3: “Michal Papis (RVM signing) mpapis@gmail.com” not changed
gpg: key 39499BDB: “Piotr Kuczynski piotr.kuczynski@gmail.com” 2 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: unchanged: 1
gpg: new signatures: 2

Still getting the pgp error about no valid signitures found.
What and how can I / should I change to come over this message so I can update RVM?

In a RVM update not too long ago, they added a second key, which is not yet shown in RVMs output. However, in your second command, you apparently improted both new keys, including the second one, and it shows that you importet Piotr’s key, so that should be fine.

Mind re-pasting the output of rvm after importing the second key?

thnx on getting back on this so quickly.
I still get the exact same output as pasted above:

rvm get latest
Downloading https://get.rvm.io
Downloading https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc
Verifying /home/diaspora/.rvm/archives/rvm-installer.asc
gpg: Signature made Tue 23 Jul 2019 11:59:45 PM CEST using RSA key ID 39499BDB
gpg: Can’t check signature: No public key
Warning, RVM 1.26.0 introduces signed releases and automated check of signatures when GPG software found. Assuming you trust Michal Papis import the mpapis public key (downloading the signatures).
GPG signature verification failed for ‘/home/diaspora/.rvm/archives/rvm-installer’ - ‘https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc’! Try to install GPG v2 and then fetch the public key:
gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
or if it fails:
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
the key can be compared with:
https://rvm.io/mpapis.asc
https://keybase.io/mpapis
NOTE: GPG version 2.1.17 have a bug which cause failures during fetching keys from remote server. Please downgrade or upgrade to newer version (if available) or use the second method described above.
bash: return: _ret: numeric argument required

Any other ideas?
btw I did update to 0.7.13.0 without the rvm update and the pod is running with latest diaspora update.

That’s super weird. The key it’s complaining about, 39499BDB, is exactly the one you imported earlier, and it shows you imported successfully. :confused: Did you ever manually trust the previous key? Seeing this in the docs makes me wonder if that’s required. However, I’ve never seen that one before.

I’m also noticing that the stable RVM version is relatively old. You could get the current head-version with rvm get head, maybe that works better. Alternatively, running the rvm installer again will also update, \curl -sSL https://get.rvm.io | bash -s stable - maybe there is something wrong with tie installer in your case.

When trying your suggestion rvm get head I receive the exact same error message about missing keys…

Did you import the gpg keys as your diaspora user, or as root or with sudo?

I have traced back my terminal commands and turns out I imported with root
should that be done using diaspora user? and with or without a sudo command?

Ah, yeah, that’s probably it! All commands, including the gpg import, should be run as the diaspora user, not as root and also not in sudo. The reason this might be confusing is because rvm assumes that it’s installed globally as root. However, we recommend not doing that, as it’s easy to create a permission mess that way, or to accidentally run diaspora* as root as well, which isn’t great. RVM shows the import commands with sudo, but that only imports the certificates in roots keychain, not in the diaspora user’s keychain.

Try running the import (the new one with both keys from the website) again as the diaspora user. Hopefully this helps. :slight_smile:

I’ll try again with diaspora user…
update: That did the trick. To get both keys I did a:
gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
this imported both keys as diaspora user.
After that I could update rvm as diaspora user using rvm get latest

thinking of it, it is like obvious… sometimes people don’t think (in this case: me)

No worries. :slight_smile: Glad it’s working now!