$ gpg --no-default-keyring --keyring /tmp/broken.gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 21292 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r-- 1 test test 3.6M Jul 4 14:46 broken.gpg
$ rm /tmp/broken.gpg*
gpg --no-default-keyring --keyring /tmp/broken.gpg --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken_key.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/tmp/broken_key.gpg': Provided object is too large
gpg: key 4E2C6E8793298290: keyblock too large, retrying with self-sigs-only
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r-- 1 test test 11K Jul 4 14:48 /tmp/broken_key.gpg
Your method leaves 20000 signatures uncleaned and relies upon pgp.mit.edu never increasing that number to the 100000 the SKS server pool members have and provides no defense on the client.
]]>Before running makepkg, you must do this (as normal user):
$ gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290
Thanks anyways!
]]>diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index c023c41..3e506d9 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -21,14 +21,23 @@ validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
'46CC730865BB5C78EBABADCF04376F3EE0856959'
'031EC2536E580D8EA286A9F22071B08A33BD3F06'
'5B80C5754298F0CB55D8ED6ABCEF7E294B092E28')
-source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig})
+source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+ "https://github.com/gpg/gnupg/commit/15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch"
+ "https://github.com/gpg/gnupg/commit/adb120e663fc5e78f714976c6e42ae233c1990b0.patch"
+ "https://github.com/gpg/gnupg/commit/a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch")
sha256sums=('6cbe8d454bf5dc204621eed3016d721b66298fa95363395bb8eeceb1d2fd14cb'
- 'SKIP')
+ 'SKIP'
+ 'cf6950719510d354cf161d69c92db30971a1f71b23ead392e35302c801692ddd'
+ 'b4ed15161c2d75b760f1cb9ea82eba258fa456b2307ed99003e9410b39a8d86e'
+ '14ef75e124434fe52d137ad98b260692787a0f2edb9d4304eb27ee663ca88482')
install=install
prepare() {
cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ../15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch
+ patch -p1 -i ../adb120e663fc5e78f714976c6e42ae233c1990b0.patch
+ patch -p1 -i ../a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch
sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
}
To delete the key if it is stuck in a broken state
gpg --delete-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
To clean the key
gpg --batch --quiet --edit-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 clean save quit
Edit:
You could also ask the tor-browser package maintainer to add a warning that the key has been poisoned.
==> Verifying source file signatures with gpg...
tor-browser-linux64-8.5.3_en-US.tar.xz ... FAILED (unknown public key EB774491D9FF06E2)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Makepkg was unable to build tor-browser.
So I run:
gpg --recv-keys EB774491D9FF06E2
But that outputs:
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/home/jakbyte/.gnupg/pubring.kbx': Provided object is too large
gpg: key 4E2C6E8793298290: public key "[User ID not found]" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: not imported: 1
Does anyone know a fix? I've searched a bit, but to no specific answer.
(Also, does this belong in AUR Issues?)