[arch-general] Package are signed... but pacman doesn't like them...?

Sun Jul 3 21:50:22 UTC 2016

Giovanni 'ItachiSan' Santini via arch-general <arch-general at archlinux.org> on
Sun, 2016/07/03 10:09:
> Good morning,
> some days ago I found a nice service called "Open Build Service", which
> allows all kind of packagers, including also Arch ones, to have
> different repos of their packages, having them built online.
> This is awesome for me, as some of them require heavy building time.
> 
> I fought a bit against the service, in order to make the GPG public key
> to be uploaded to a key server, in order to allow users to add it
> properly to pacman-key.
> 
> Now, I am facing a really strange issue: I've added the key to pacman
> keyring, using:
> 
> sudo pacman-key -r 05E0A765C649DE23
> sudo pacman-key --lsign-key 05E0A765C649DE23
> 
> Database syncing works properely and the signature is verified...
> But for packages it is not.
> Every time it gives an error as this:
> 
> $pkgname-$pkgver   $pkgsize  $dw_speed 00:00 [--------------------] 100%
> (1/1) checking keys in keyring               [--------------------] 100%
> error: $pkgname: unsupported signature format(0/1) checking package
> integrity
> (1/1) checking package integrity             [--------------------] 100%
> error: GPGME error: No data
> 
> I tried to download the public key and adding to my personal GPG
> keyring. Verifying the packages signatures works perfectly. To try this,
> I fetched the .sig file online and used the GPG --verify command.
> Any hints?
> 
> Now, the needed data.
> My personal repo configuration for pacman
> 
> [home_ItachiSan_archlinux_Arch_Extra]
> Server =
> http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Extra/$arch
> 
> The public key mentioned above:
> http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23
> or
> http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
> 
> Sorry to be so verbose. :<
> Thanks in advance!

Looks like the build service produces invalid db files,
home_ItachiSan_archlinux_Arch_Extra.db in your case.

The db file is just a simple tar archive, compressed with gzip. Unzip it and
you will find a directory for every package. Every directory contains the
file 'desc' at least. Within the file you should find a line '%PGPSIG%',
followed by a single line containing the signature.
Looks like the build service breaks this line, which confuses pacman.

To verify you can extract the db file, make your changes and create a new
one. Do not forget to remove the db signature (or resign).

BTW, It's pretty simple why the db signature is valid: It is used as-is. The
package signatures in your repository are useless, though. The signatures are
stored withing the db file, as seen above.
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160703/169eab61/attachment.asc>