[arch-general] Unable to upgrade community/rekonq (PGP signature issue)
Hi all, I am unable to upgrade community/rekonq from 0.8.0-1 to 0.8.1-1 due to error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded. /etc/pacman.d/gnupg/gpg.conf has no-greeting no-permission-warning lock-never # keyserver hkp://keys.gnupg.net keyserver hkp://pgp.mit.edu /etc/pacman.conf has GPGDir = /etc/pacman.d/gnupg/ SigLevel = Optional TrustAll I see that many other users have successfully upgraded this package. Any idea whats wrong? Thanks in advance. Regards. Keshav
[2011-12-20 19:38:19 +0530] Keshav P R:
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely
This seems to be Peter Lewis signing with (one of his many) subkeys... (Not sure why he does that.) Do `gpg --recv-key E19DAA50` (primary ID) to get his key. -- Gaetan
On Tue, Dec 20, 2011 at 20:06, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-12-20 19:38:19 +0530] Keshav P R:
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely
This seems to be Peter Lewis signing with (one of his many) subkeys... (Not sure why he does that.)
Do `gpg --recv-key E19DAA50` (primary ID) to get his key.
-- Gaetan
Thanks. I did # pacman-key --recv-keys E19DAA50 # pacman-key --refresh-keys There seems to be many new User IDs and Signatures. Should I do "pacman-key --refresh-keys" periodically? Regards. Keshav
[2011-12-20 20:19:13 +0530] Keshav P R:
There seems to be many new User IDs and Signatures. Should I do "pacman-key --refresh-keys" periodically?
Actually, `--refresh-keys` will only update signatures; to get the new keys you must either import them from pacman as you install packages signed by previously unseen keys, or use an ugly script like that to get all new keys at once: curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs sudo pacman-key --recv-keys -- Gaetan
On Tue, Dec 20, 2011 at 20:25, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-12-20 20:19:13 +0530] Keshav P R:
There seems to be many new User IDs and Signatures. Should I do "pacman-key --refresh-keys" periodically?
Actually, `--refresh-keys` will only update signatures; to get the new keys you must either import them from pacman as you install packages signed by previously unseen keys, or use an ugly script like that to get all new keys at once:
curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs sudo pacman-key --recv-keys
-- Gaetan
Now that I have refreshed the list of keys. How should I import them all? Should I do # pacman-key --updatedb or whenever I install a package which is signed with one of the new keys, will pacman import the key automatically? Sorry I am not used to this package signing of PGP thingy? Anyway thanks for you help (and for the "ugly" script). I have updated rekonq and now downloading Qt 4.8 and all other packages. Regards. Keshav
[2011-12-20 20:36:02 +0530] Keshav P R:
Now that I have refreshed the list of keys. How should I import them all?
You are confusing a bit of everything. There are two ways to get the new keys into your pacman keyring: - let pacman download them when you install packages signed by them; - run my ugly script.
Should I do
# pacman-key --updatedb
No. The `--updatedb` option updates the trustdb, which GPG does automatically anyhow. It's always safer to read the manual to know what options do rather than trying out random combinations. -- Gaetan
On Wednesday 21 Dec 2011 01:36:35 Gaetan Bisson wrote:
[2011-12-20 19:38:19 +0530] Keshav P R:
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely
I opened a bug about this a couple of days ago: FS#27612.
This seems to be Peter Lewis signing with (one of his many) subkeys...
You're right, it seems to be to do with the use of a subkey.
(Not sure why he does that.)
Heh heh. This basically explains the reason quite well: http://wiki.debian.org/subkeys I have my master key stored offline, and I hope it will last forever without being compromised and I won't have to go around getting my key signed again. Also, the subkeys are only stored on a smart-card and, so I'm told, can't be taken off it. (I know, call me paranoid...)
Do `gpg --recv-key E19DAA50` (primary ID) to get his key.
Did this: % pacman-key -r 22AD5874F39D989F not work for you? I was discussing this problem with Seblu earlier and we could both just do this, only it wouldn't be imported automatically by pacman. Pete.
[2011-12-20 15:57:02 +0000] Peter Lewis:
I have my master key stored offline, and I hope it will last forever
I see. It's just to bad that it is only 1024-bit long... RSA and DSA keys of this length will probably be crackable in ten/fifteen years. (And I'm sure the NSA can already do it.) -- Gaetan
On Wednesday 21 Dec 2011 03:15:58 Gaetan Bisson wrote:
[2011-12-20 15:57:02 +0000] Peter Lewis:
I have my master key stored offline, and I hope it will last forever
I see. It's just to bad that it is only 1024-bit long... RSA and DSA keys of this length will probably be crackable in ten/fifteen years. (And I'm sure the NSA can already do it.)
s/forever/longer than it's likely to otherwise with me at the helm/ ;-) To be honest, I'm no expert in this, but when I first set all this gnupg stuff up, I read that it was a good idea. Seems to be better than not doing it this way, at least. Pete.
[2011-12-20 15:57:02 +0000] Peter Lewis:
Did this:
% pacman-key -r 22AD5874F39D989F
not work for you?
It seems like it does, but my ugly script had already imported your key. -- Gaetan
On Tue, Dec 20, 2011 at 21:27, Peter Lewis <plewis@aur.archlinux.org> wrote:
On Wednesday 21 Dec 2011 01:36:35 Gaetan Bisson wrote:
[2011-12-20 19:38:19 +0530] Keshav P R:
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely
I opened a bug about this a couple of days ago: FS#27612.
This seems to be Peter Lewis signing with (one of his many) subkeys...
You're right, it seems to be to do with the use of a subkey.
(Not sure why he does that.)
Heh heh. This basically explains the reason quite well:
http://wiki.debian.org/subkeys
I have my master key stored offline, and I hope it will last forever without being compromised and I won't have to go around getting my key signed again. Also, the subkeys are only stored on a smart-card and, so I'm told, can't be taken off it. (I know, call me paranoid...)
Do `gpg --recv-key E19DAA50` (primary ID) to get his key.
Did this:
% pacman-key -r 22AD5874F39D989F
not work for you? I was discussing this problem with Seblu earlier and we could both just do this, only it wouldn't be imported automatically by pacman.
Pete.
I guess this has something to do with using keys.gnupg.net instead of pgp.mit.edu. I had issues with keys.gnupg.net (versy slow dueing initial keyring creation) and came across pgp.mit.edu as an alternative and faster keyserver. I changed the keyserver and tried "pacman -S rekonq" again thinking that would solve the problem but it didn't. I didn't know about subkeys etc. and thats why I started this thread. But manually importing the key using pacman-key after changing the keyserver didn't cross my mind since I thought pacman should obviously do that by itself. Anyway all's well now. Thanks for your help. Regards. Keshav
On Tue, Dec 20, 2011 at 12:08 PM, Keshav P R <the.ridikulus.rat@gmail.com> wrote:
Hi all, I am unable to upgrade community/rekonq from 0.8.0-1 to 0.8.1-1 due to
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
I've had some issues like that, but retrying the update somehow makes it download the key. Have you retried the update? -- A: Because it obfuscates the reading. Q: Why is top posting so bad? For mor information, please read: http://idallen.com/topposting.html ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
On Tue, Dec 20, 2011 at 20:20, Denis A. Altoé Falqueto < denisfalqueto@gmail.com> wrote:
On Tue, Dec 20, 2011 at 12:08 PM, Keshav P R <the.ridikulus.rat@gmail.com> wrote:
Hi all, I am unable to upgrade community/rekonq from 0.8.0-1 to 0.8.1-1 due to
error: rekonq: key "22AD5874F39D989F" is unknown error: key "22AD5874F39D989F" could not be looked up remotely error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
I've had some issues like that, but retrying the update somehow makes it download the key. Have you retried the update?
I retried the update many times and also tried "--recv-keys 22AD5874F39D989F" but both didn't work. - Keshav
participants (4)
-
Denis A. Altoé Falqueto
-
Gaetan Bisson
-
Keshav P R
-
Peter Lewis