On 12/03/2016 03:41 PM, Xyne wrote:
Hi,
There is a seemingly unending trickle of user comments on the AUR seeking advice about key verification errors when building packages. The error message in question is
<pkgname> ... FAILED (unknown public key ...) ==> ERROR: One or more PGP signatures could not be verified!
Would you consider changing this message to make it clear to the user that they key is not in the *user's* keyring? Maybe something like (key ... not found in user's keyring: you may need to import it).
The current message seems to leave a lot of users thinking that the key and signature are shady and untrusted.
Doesn't "unknown public key" already imply that? makepkg already provides information on the *reason* it failed. "Unknown" is very different from "we have the key you need, and this signature doesn't match"... we provide that warning later on, as "bad signature". Are there a lot of people who think that PGP/gpg just magically knows every key that "people" trust, or something? What do they think "trust" means, anyway? https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/verif...
p.s. I still hope that you will re-introduce the --pkg option or an alternative to selectively install split packages with "-i". (Building them all makes sense. Giving no option but to install them all, not so much.) I can provide a package for this as I keep a working patched version of makepkg for this purpose (and provide it in a package for others).
I would like this feature. `--pkg` could be a no-op without `-i`. But maybe it deserves its own thread? -- Eli Schwartz