[pacman-dev] makepkg: key verification error
Eli Schwartz
eschwartz93 at gmail.com
Sun Dec 4 06:52:11 UTC 2016
On 12/03/2016 03:41 PM, Xyne wrote:
> Hi,
>
> There is a seemingly unending trickle of user comments on the AUR seeking
> advice about key verification errors when building packages. The error message
> in question is
>
> <pkgname> ... FAILED (unknown public key ...)
> ==> ERROR: One or more PGP signatures could not be verified!
>
> Would you consider changing this message to make it clear to the user that they
> key is not in the *user's* keyring? Maybe something like (key ... not found in
> user's keyring: you may need to import it).
>
> The current message seems to leave a lot of users thinking that the key and
> signature are shady and untrusted.
Doesn't "unknown public key" already imply that? makepkg already
provides information on the *reason* it failed.
"Unknown" is very different from "we have the key you need, and this
signature doesn't match"... we provide that warning later on, as "bad
signature".
Are there a lot of people who think that PGP/gpg just magically knows
every key that "people" trust, or something? What do they think "trust"
means, anyway?
https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/verify_signature.sh.in#n96
> p.s. I still hope that you will re-introduce the --pkg option or an
> alternative to selectively install split packages with "-i". (Building them all
> makes sense. Giving no option but to install them all, not so much.) I can
> provide a package for this as I keep a working patched version of makepkg for
> this purpose (and provide it in a package for others).
I would like this feature. `--pkg` could be a no-op without `-i`.
But maybe it deserves its own thread?
--
Eli Schwartz
More information about the pacman-dev
mailing list