[arch-general] Package are signed... but pacman doesn't like them...?

Mon Jul 4 16:35:48 UTC 2016

Giovanni 'ItachiSan' Santini <itachi.sama.amaterasu at gmail.com> on Mon,
2016/07/04 11:58:
> Il 03/07/2016 23:50, Christian Hesse ha scritto:
> > 
> > The db file is just a simple tar archive, compressed with gzip. Unzip it
> > and you will find a directory for every package. Every directory contains
> > the file 'desc' at least. Within the file you should find a line
> > '%PGPSIG%', followed by a single line containing the signature.
> > Looks like the build service breaks this line, which confuses pacman.
> >   
> 
> I've opened an issue and created a pull request, as I made some
> experiments with perl in order to have the script working; the issue
> (now closed) is here:
> https://github.com/openSUSE/open-build-service/issues/1907
> 
> Now, pacman recognises the key and accepts the package, but it still
> complains a little, saying that the signature format is unsupported:
> 
> --- Terminal output starts here
> $ LANG=C sudo pacman -Sy dpkg
> :: Synchronizing package databases...
>  ... sync stuff here ...
> resolving dependencies...
> looking for conflicting packages...
> 
> Packages (1) dpkg-1.17.25-1
> 
> Total Download Size:   1.46 MiB
> Total Installed Size:  9.20 MiB
> 
> :: Proceed with installation? [Y/n]
> :: Retrieving packages...
>  dpkg-1.17.25-1-x86_64   1492.1 KiB   $speed 00:00 [--------------] 100%
> (1/1) checking keys in keyring                     [--------------] 100%
> error: dpkg: unsupported signature format(0/1)
> checking package integrity                         [co  o  o  o  o  o
> (1/1) checking package integrity                   [--------------] 100%
> (1/1) loading package files                        [--------------] 100%
>  ... installation stuff here ...
> --- Terminal output ends here
> 
> Why does pacman give that error?
> As it marks it as an error, but it install the package anyways...!

We have three places where this can come from...

https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1008
https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1038
https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1045

Not sure what goes wrong here. Is source of the build service available? How
do they sign the packages?
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160704/0561a10c/attachment.asc>