[arch-general] Package are signed... but pacman doesn't like them...?

Jelle van der Waa jelle at vdwaa.nl
Sun Jul 3 16:03:31 UTC 2016


On 07/03/16 at 02:45pm, Ilya Boka via arch-general wrote:
> I don't know does it make sence, but you create signature with
> "makepkg --sign" ?

Nope,

He is using OpenSuse's Build Service, which creates a private key per
repository. This key is used to sign the packages and surprisingly also
the repo database.

I could reproduce the problem but I have no clue why pacman says the
signature is invalid.
> 
> On Sun, Jul 3, 2016 at 10:09 AM, Giovanni 'ItachiSan' Santini via
> arch-general <arch-general at archlinux.org> wrote:
> > Good morning,
> > some days ago I found a nice service called "Open Build Service", which
> > allows all kind of packagers, including also Arch ones, to have
> > different repos of their packages, having them built online.
> > This is awesome for me, as some of them require heavy building time.
> >
> > I fought a bit against the service, in order to make the GPG public key
> > to be uploaded to a key server, in order to allow users to add it
> > properly to pacman-key.
> >
> > Now, I am facing a really strange issue: I've added the key to pacman
> > keyring, using:
> >
> > sudo pacman-key -r 05E0A765C649DE23
> > sudo pacman-key --lsign-key 05E0A765C649DE23
> >
> > Database syncing works properely and the signature is verified...
> > But for packages it is not.
> > Every time it gives an error as this:
> >
> > $pkgname-$pkgver   $pkgsize  $dw_speed 00:00 [--------------------] 100%
> > (1/1) checking keys in keyring               [--------------------] 100%
> > error: $pkgname: unsupported signature format(0/1) checking package
> > integrity
> > (1/1) checking package integrity             [--------------------] 100%
> > error: GPGME error: No data
> >
> > I tried to download the public key and adding to my personal GPG
> > keyring. Verifying the packages signatures works perfectly. To try this,
> > I fetched the .sig file online and used the GPG --verify command.
> > Any hints?
> >
> > Now, the needed data.
> > My personal repo configuration for pacman
> >
> > [home_ItachiSan_archlinux_Arch_Extra]
> > Server =
> > http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Extra/$arch
> >
> > The public key mentioned above:
> > http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23
> > or
> > http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
> >
> > Sorry to be so verbose. :<
> > Thanks in advance!
> >
> > --
> > Giovanni Santini
> > My blog: http://giovannisantini.tk
> > My code: https://github.com/ItachiSan
> > My code, again: https://gitlab.com/u/ItachiSan
> > My Twitter: https://twitter.com/santini__gio
> > My Facebook: https://www.facebook.com/giovanni.santini
> > My Google+: https://plus.google.com/+GiovanniSantini/
> > My GPG: 2FADEBF5

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160703/ed599a48/attachment.asc>


More information about the arch-general mailing list