[arch-general] Package signature error after updated GPG key
Hey guys, i have recently received the attached email from a user. He cannot install a package from me due to a GPG error. I have recently updated my key and it should have been added to the new keyring. I don't know a better solution, who can help us? Cheers, Nico On 7/8/20 12:10 AM, cock.li wrote:
Hi, sorry to bother you, I think that the signature on the snap-pac packet is expired or something similar, I'm getting this pacman error:
error: snap-pac: signature from "NicoHood <pgp@nicohood.de>" is unknown trust :: File /var/cache/pacman/pkg/snap-pac-2.3.1-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
since, the keys are updated (I've tried updating them with a healthy "sudo pacman-key --refresh-keys", but nothing) i think that the key with wich the packet was signed expired and was changed in the meantime, especially since it's more than a year that there are no updates on the packet (since there are no commits on the source)
I do need the packet for snap-pac-grub, please let me now as soon as you can
regards
AmanuenseDelDiavolo
On Wed, 2020-07-08 at 21:08 +0200, NicoHood wrote:
Hey guys, i have recently received the attached email from a user. He cannot install a package from me due to a GPG error. I have recently updated my key and it should have been added to the new keyring. I don't know a better solution, who can help us?
Cheers, Nico
IIRC GPG uses the latest subkey by default, if you crated a new one it would be used, I assume this is what happened. If you haven't already revoked the older subkey(s), you should be able set GPGKEY in makepkg.conf and use it instead. Cheers, Filipe Laíns
On 7/8/20 9:14 PM, Filipe Laíns via arch-general wrote:
On Wed, 2020-07-08 at 21:08 +0200, NicoHood wrote:
Hey guys, i have recently received the attached email from a user. He cannot install a package from me due to a GPG error. I have recently updated my key and it should have been added to the new keyring. I don't know a better solution, who can help us?
Cheers, Nico
IIRC GPG uses the latest subkey by default, if you crated a new one it would be used, I assume this is what happened. If you haven't already revoked the older subkey(s), you should be able set GPGKEY in makepkg.conf and use it instead.
Cheers, Filipe Laíns
I am not sure if I understood correct. I've simply refreshed the gpg key (and the subkey) which was included into the new keyring. The package that causes trouble is older than that change. Since makepkg refers to package building, I think this does not help here. I expect that I do not need to rebuild all packages just because the GPG key was renewed. Is it more clear now?
On Wed, 2020-07-08 at 21:21 +0200, NicoHood wrote:
I am not sure if I understood correct. I've simply refreshed the gpg key (and the subkey) which was included into the new keyring. The package that causes trouble is older than that change. Since makepkg refers to package building, I think this does not help here. I expect that I do not need to rebuild all packages just because the GPG key was renewed.
Is it more clear now?
Ah, then the user has an outdated keyring or a corrupted file. Refreshing the keys should have no impact, what would have an impact would be creating a new key, which is what I assumed happened. Filipe Laíns
On Friday, July 10, 2020 7:06 PM, Eli Schwartz via arch-dev-public <arch-dev-public@archlinux.org> wrote:
On 7/10/20 2:38 PM, Jan Alexander Steffens (heftig) via arch-dev-public wrote:
From: "Jan Alexander Steffens (heftig)" heftig@archlinux.org I recently read Fedora's documentation on build flags and I think they have some useful ideas.
1. Move -D_FORTIFY_SOURCE=2 from CPPFLAGS to CFLAGS using -Wp: Unfortunately, there are still build systems (e.g. CMake, homegrown Makefile rules) which use CFLAGS but not CPPFLAGS. Ultimately, we can cover more code with this workaround.
Sounds like a job for
build() { export CFLAGS="$CPPFLAGS $CFLAGS" ... }
(I do not understand how -Wp, helps here, its purpose is only to prevent the compiler driver from reinterpreting it before passing it to the preprocessor, and only if you have special needs and believe it will mangle your flags. -D_FORTIFY_SOURCE sounds sufficiently boring to say it won't be mangled.)
IIRC main concern against -D_FORTIFY_SOURCE in CFLAGS (made by Allan?) was about purity of passing preprocessor flags only to preprocessor. I think using "Wp" prefix for fortify solves purity issue. Side note: can you get rid of "-march=x86-64 -mtune=generic" which are default options for gcc on x86_64? It would be easier to read buildflags without this useless spam especially when they will be extended by other meaningful things. Yours sincerely G. K.
On 7/8/20 3:08 PM, NicoHood wrote:
Hey guys, i have recently received the attached email from a user. He cannot install a package from me due to a GPG error. I have recently updated my key and it should have been added to the new keyring. I don't know a better solution, who can help us?
Cheers, Nico
There is nothing wrong with this key and it successfully verifies using pacman with the current archlinux-keyring package. debug: sig data: iQIzBAABCAAdFiEElzEtXrnXrn0L1DBzUdrpt8GukWEFAlyfmyUACgkQUdrpt8GukWH4EA//SIhP7Cr8pnDxd8e3jPoGmP6zU/YvXcqvRfwPWB+p6zRxq8+GGdrLzDGfRQHu2NWNK9ZTAagmArEWh/vQhxMCE2bfTcmQo5dA25mMqiaZcF1K9e/PKKvKbZ5PaIuxmX65fd3C74CFDHo5OLWOhx8PrXGINYnS6TCD5KxOQ5L10tSQPcRmNjid8KbcuflvrFkcEu/GpNL1HaFdr+VuvGKpmWj36Lbj4Q6uKOisnf9jmMraVD+C67+WStWgxkkPyILb4XvTcEBLctdzKEDY04C/oSafQMrK4CVd+JsVX5udpledIZL03Md+YhcHsW51aDtkry2M9i75WCrE9C7QHnfoxnBCzGi4xnjW/spGZVCQjNZ6M/6OMzlFwCdggi2y9yewrk5apA2o2Fw65UMGgKowIFQEHhoEV/RnumyR5TWi2Oz9ljXCmPRbe6x2SvjneQ4C5jqL2bVzmtLrdLQBrGeUIJLlYVQjLyRZH+WjgWrp3QOe7qX7DwxukRrIoLHt22ucSC9Nvc2QtVvQ7B9gXne87k4b4u4PYc1wQhKm7JwArT4EnVWKm6MdSfbvRuR7Sw6JeVZgRFyVAHihwOEVLPDTOmof9EHZDh4VKF1YTr7P/QS2zSemaQs2vOyjuFRkLVQ8RuyF+SUAk2xx9eIuW4w1+pH/lP38+KBXj7laV+nump0= debug: checking signature for /var/cache/pacman/pkg/snap-pac-2.3.1-1-aany.pkg.tar.xz debug: 1 signatures returned debug: fingerprint: 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161 debug: summary: valid debug: summary: green debug: status: Success debug: timestamp: 1553963813 debug: exp_timestamp: 0 debug: validity: full; reason: Success debug: key: 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161, NicoHood <pgp@nicohood.de>, owner_trust unknown, disabled 0 debug: signature is valid debug: signature is fully trusted -- Eli Schwartz Bug Wrangler and Trusted User
participants (4)
-
Eli Schwartz
-
Filipe Laíns
-
Geo Kozey
-
NicoHood