[arch-general] Pacman and package signing
I'm going to plead ignorance hear and have not been able to find the solution. I've done a google search, read the man pages, read the help documentation for gpg, and I still have a problem. If I sign the package with makepkg or manually with gpg --detach-sign, it creates a it creates a detached signature, .sig file. I have my key using pacman-key. When I attempt to install the package I get an error message "invalid or corrupted package (PGP signature)". If I manually sign the package with gpg --sign, every thing is fine. I quite sure this is something I've done wrong but I don't seem to be able (nice way of putting it) to be able to find this solution. WTF am I doing wrong. Myra -- Life's fun when your sick and psychotic!
[2011-08-29 12:13:29 -0500] Myra Nelson:
If I sign the package with makepkg or manually with gpg --detach-sign, it creates a it creates a detached signature, .sig file. I have my key using pacman-key. When I attempt to install the package I get an error message "invalid or corrupted package (PGP signature)".
You also need to `pacman-key --edit-key` your key and put its trust level to ultimate.
If I manually sign the package with gpg --sign, every thing is fine.
Not sure I understand what you mean here... Cheers. -- Gaetan
On Mon, Aug 29, 2011 at 12:42, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-08-29 12:13:29 -0500] Myra Nelson:
If I sign the package with makepkg or manually with gpg --detach-sign, it creates a it creates a detached signature, .sig file. I have my key using pacman-key. When I attempt to install the package I get an error message "invalid or corrupted package (PGP signature)".
You also need to `pacman-key --edit-key` your key and put its trust level to ultimate.
If I manually sign the package with gpg --sign, every thing is fine.
Not sure I understand what you mean here...
Cheers.
-- Gaetan
If I use gpg --sign instead of gpg --detach-sign the package verifies and installs just fine. That's what stumped me. Myra -- Life's fun when your sick and psychotic!
[2011-08-29 13:51:07 -0500] Myra Nelson:
If I use gpg --sign instead of gpg --detach-sign the package verifies and installs just fine. That's what stumped me.
That's because since its suffix is not sig (in that case, a gpg file is created containing both the package and the signature) the signature file is ignored by repo-add and pacman just sees an unsigned package. -- Gaetan
On Mon, Aug 29, 2011 at 13:51, Myra Nelson <myra.nelson@hughes.net> wrote:
On Mon, Aug 29, 2011 at 12:42, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-08-29 12:13:29 -0500] Myra Nelson:
If I sign the package with makepkg or manually with gpg --detach-sign, it creates a it creates a detached signature, .sig file. I have my key using pacman-key. When I attempt to install the package I get an error message "invalid or corrupted package (PGP signature)".
You also need to `pacman-key --edit-key` your key and put its trust level to ultimate.
If I manually sign the package with gpg --sign, every thing is fine.
Not sure I understand what you mean here...
Cheers.
-- Gaetan
If I use gpg --sign instead of gpg --detach-sign the package verifies and installs just fine. That's what stumped me.
Myra
-- Life's fun when your sick and psychotic!
As I said, I couldn't see the forest for the trees. Thank you very much. Myra -- Life's fun when your sick and psychotic!
participants (2)
-
Gaetan Bisson
-
Myra Nelson