Giovanni 'ItachiSan' Santini via arch-general <arch-general@archlinux.org> on Sun, 2016/07/03 10:09:
Good morning, some days ago I found a nice service called "Open Build Service", which allows all kind of packagers, including also Arch ones, to have different repos of their packages, having them built online. This is awesome for me, as some of them require heavy building time.
I fought a bit against the service, in order to make the GPG public key to be uploaded to a key server, in order to allow users to add it properly to pacman-key.
Now, I am facing a really strange issue: I've added the key to pacman keyring, using:
sudo pacman-key -r 05E0A765C649DE23 sudo pacman-key --lsign-key 05E0A765C649DE23
Database syncing works properely and the signature is verified... But for packages it is not. Every time it gives an error as this:
$pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% (1/1) checking keys in keyring [--------------------] 100% error: $pkgname: unsupported signature format(0/1) checking package integrity (1/1) checking package integrity [--------------------] 100% error: GPGME error: No data
I tried to download the public key and adding to my personal GPG keyring. Verifying the packages signatures works perfectly. To try this, I fetched the .sig file online and used the GPG --verify command. Any hints?
Now, the needed data. My personal repo configuration for pacman
[home_ItachiSan_archlinux_Arch_Extra] Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Ex...
The public key mentioned above: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 or http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
Sorry to be so verbose. :< Thanks in advance!
Looks like the build service produces invalid db files, home_ItachiSan_archlinux_Arch_Extra.db in your case. The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman. To verify you can extract the db file, make your changes and create a new one. Do not forget to remove the db signature (or resign). BTW, It's pretty simple why the db signature is valid: It is used as-is. The package signatures in your repository are useless, though. The signatures are stored withing the db file, as seen above. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}