[arch-general] Problem automatically importing key for signed package.
Hi, I've been trying to get to grips with the package signing stuff, and have just added my first signed package (choqok) to [community], but am having a problem installing it from the repo, when pacman doesn't already know about my key. I'm probably missing a step somewhere, or maybe I've found a bug, not sure. I followed the instructions on the wiki, with the slight difference that I already had a key, so just used that one. Here's the problem. After successfully building in a chroot and submitting and signing the package, all using devtools, I get this: % sudo pacman -S choqok ... error: choqok: key "22AD5874F39D989F" is unknown error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded. I tried the obvious cache clearing and -Syy'ing, just to be sure, but that didn't fix it. For other people's packages, after the "key XXX unknown" message, I get the option to get it from the keyserver and add it to pacman's keyring. But I don't get that option for my own key. But: % gpg --homedir gpg-temp --keyserver pgp.mit.edu --recv-keys 22AD5874F39D989F gpg: requesting key F39D989F from hkp server pgp.mit.edu gpg: key E19DAA50: public key "Peter Richard Lewis <pete@muddygoat.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 And just to be sure, in my build directory: % gpg --verify choqok-1.2-2-x86_64.pkg.tar.xz.sig gpg: Signature made Sat 05 Nov 2011 05:27:56 PM GMT using RSA key ID F39D989F gpg: Good signature from "Peter Richard Lewis <pete@muddygoat.org>" gpg: aka "Peter Richard Lewis <prlewis@letterboxes.org>" gpg: aka "Peter Richard Lewis <p.r.lewis@cs.bham.ac.uk>" gpg: aka "Peter Richard Lewis <plewis@aur.archlinux.org>" At first I thought that maybe pacman wouldn't support multiple UIDs, but then pacman-key -l shows up that several devs and TUs have this. Did I miss something that I should have done? Thanks, Pete.
On Sat, Nov 5, 2011 at 18:40, Peter Lewis <plewis@aur.archlinux.org> wrote:
Hi,
I've been trying to get to grips with the package signing stuff, and have just added my first signed package (choqok) to [community], but am having a problem installing it from the repo, when pacman doesn't already know about my key. I'm probably missing a step somewhere, or maybe I've found a bug, not sure.
I followed the instructions on the wiki, with the slight difference that I already had a key, so just used that one.
Here's the problem. After successfully building in a chroot and submitting and signing the package, all using devtools, I get this:
% sudo pacman -S choqok
...
error: choqok: key "22AD5874F39D989F" is unknown error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
I tried the obvious cache clearing and -Syy'ing, just to be sure, but that didn't fix it.
For other people's packages, after the "key XXX unknown" message, I get the option to get it from the keyserver and add it to pacman's keyring. But I don't get that option for my own key.
But:
% gpg --homedir gpg-temp --keyserver pgp.mit.edu --recv-keys 22AD5874F39D989F gpg: requesting key F39D989F from hkp server pgp.mit.edu gpg: key E19DAA50: public key "Peter Richard Lewis <pete@muddygoat.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
And just to be sure, in my build directory:
% gpg --verify choqok-1.2-2-x86_64.pkg.tar.xz.sig gpg: Signature made Sat 05 Nov 2011 05:27:56 PM GMT using RSA key ID F39D989F gpg: Good signature from "Peter Richard Lewis <pete@muddygoat.org>" gpg: aka "Peter Richard Lewis <prlewis@letterboxes.org>" gpg: aka "Peter Richard Lewis <p.r.lewis@cs.bham.ac.uk>" gpg: aka "Peter Richard Lewis <plewis@aur.archlinux.org>"
At first I thought that maybe pacman wouldn't support multiple UIDs, but then pacman-key -l shows up that several devs and TUs have this.
Did I miss something that I should have done?
Thanks,
Pete.
Pete: You need to import your key into the pacman-key database with sudo pacman-key --keysever pgp.mit.edu -r 22AD5874F39D989F, then everything shoud work fine. You can also put keyserver hkp://pgp.mit.edu in /etc/pacman.d/gnupg/gnupg.conf and pacman-key will use pgp.mit.eduautomatically. Myra -- Life's fun when your sick and psychotic!
Am 06.11.2011 00:40, schrieb Peter Lewis:
error: choqok: key "22AD5874F39D989F" is unknown error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
I don't know, maybe it uses a broken keyserver. Note that this is not the final solution. In the near future, Arch users will automatically have all the keys of developers and TUs set up with trust levels configured, without having to import them from keyservers. I hope this is done soon.
Ah, thanks guys. On Sat, 05 Nov 2011, Myra Nelson wrote:
You need to import your key into the pacman-key database with sudo pacman-key --keysever pgp.mit.edu -r 22AD5874F39D989F, then everything shoud work fine.
I knew that this was an option, but wasn't sure why everyone else's key seemed to be automatically pulled in by pacman during installs.
You can also put keyserver hkp://pgp.mit.edu in /etc/pacman.d/gnupg/gnupg.conf and pacman-key will use pgp.mit.eduautomatically.
But yes, this led me to to it. I had previously thought that all the keyservers synced with each other at some point, but apparently this isn't the case with keys.gnupg.net (at least). Sticking my key on that keyserver means that it behaves as expected. Thanks. On Sun, 06 Nov 2011, Thomas Bächler wrote:
I don't know, maybe it uses a broken keyserver.
Yeah, I wonder what the expected behaviour is regarding syncing of keyservers. I'm sure I read somewhere that uploading to one was supposed to be sufficient.
Note that this is not the final solution. In the near future, Arch users will automatically have all the keys of developers and TUs set up with trust levels configured, without having to import them from keyservers. I hope this is done soon.
Yeah, I'm looking forward to this too. It's been good watching this get implemented. Cheers, Pete.
On Sun, Nov 06, 2011 at 10:36:17AM +0000, Peter Lewis wrote:
But yes, this led me to to it. I had previously thought that all the keyservers synced with each other at some point, but apparently this isn't the case with keys.gnupg.net (at least). Sticking my key on that keyserver means that it behaves as expected.
[...]
Yeah, I wonder what the expected behaviour is regarding syncing of keyservers. I'm sure I read somewhere that uploading to one was supposed to be sufficient.
It should be sufficient in theory - once a key is uploaded to one server, it would propagate to others in several minutes. Unless some servers are broken. For example: [1]
Also, there is a bug in older versions of the SKS key server code that impairs synchronization from other, non-SKS servers but not synchronization to others. Among the servers affected are cryptonomicon.mit.edu (pgp.mit.edu, pgpkeys.mit.edu, www.us.pgp.net), pks.gpg.cz (sks.ms.mff.cuni.cz), and the.earth.li (wwwkeys.uk.pgp.net), all of which have been removed from the above list of servers. It has not yet been determined if the problem relates to which version of the SKS server software is used or is a result of whether the server is or is not a member of the SKS pool.
(One of the keyservers pointed to by 'keys.gnupg.net' happens to be 'pks.gpg.cz'.) Even with the latest software, the SKS pool status page [2] shows some keyservers missing 10, 30, even ~200 keys. There are at least two standard ways of publishing PGP keys as DNS records [3], but I'm not sure if any software besides GnuPG supports them. [1]: http://www.rossde.com/PGP/pgp_keyserv.html [2]: http://sks-keyservers.net/status/ [3]: http://www.gushi.org/make-dns-cert/HOWTO.html -- Mantas M.
participants (4)
-
Mantas M.
-
Myra Nelson
-
Peter Lewis
-
Thomas Bächler