Signatures for community repos, e.g. xmlrpc-c: how establish trust?

Natanji · 2012-01-19 13:59:08

Hey there,
now as far as I understood, the master keys will only establish a level of trust for the official packages. But I thought they would also sign the trusted user's (who manage e.g. the community repository) keys, such that I don't have to trust any additional keys. Isn't that like, the idea of the master keys and the chain of trust they establish?
I trusted the master keys marginally and also imported all the trusted user's keys. For a few packages signed by trusted users, I however get an error...

error: xmlrpc-c: signature from "Gavin Marciniak-Bisesi <Daenyth@gmail.com>" is marginal trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Any help here?

Last edited by Natanji (2012-01-19 14:00:31)

wonder · 2012-01-19 14:04:33

his key is not signed by at least 3 masters.

http://pgp.mit.edu:11371/pks/lookup?op= … 6699AD6E84

Last edited by wonder (2012-01-19 14:04:46)

Natanji · 2012-01-19 14:06:05

So what is the correct thing to do then? Will the key eventually be signed by all the masters, and that process is just gonna take some time? Or is that rather unlikely to happen in the near future?

wonder · 2012-01-19 14:17:05

I just pinged him to remind him to reply to master keys emails.

ratcheer · 2012-01-19 15:07:09

@Natanji - read this. It instructs you how to set up the master keys.

http://allanmcrae.com/2011/12/pacman-pa … rch-linux/

Tim

lolilolicon · 2012-01-19 15:22:43

A temporary resolution is - if you think the package is good - to install it using `pacman -U /var/cache/pacman/pkg/xmlrpc-c*.pkg.tar.xz`.

Last edited by lolilolicon (2012-01-19 15:45:47)

karol · 2012-01-19 15:26:34

lolilolicon wrote:

A temporary resolution is - if you think the package is good - to install it using `pacman -U /var/cache/pacman/pkg/xmlrpc-c*.pkg.xz`.

+1
Due to https://bugs.archlinux.org/task/26520

Thedemon007 · 2012-01-25 05:19:06

my error:

(7/7) checking package integrity                   [######################] 100%
error: tmux: signature from "Sergej Pupykin <arch@sergej.pp.ru>" is marginal trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Thedemon007 · 2012-03-02 03:37:18

other key currently unsigned

http://pgp.mit.edu:11371/pks/lookup?op= … 6E3C4F88BC

Error:

error: os-prober: signature from "Timothy Redaelli <tredaelli@archlinux.info>" is marginal trust

Allan · 2012-03-02 04:30:08

That link shows it does have three signatures... "pacman-key --refresh-keys"

Allan · 2012-03-02 05:27:50

BTW, there are no packages in the repo signed by keys without enough master key signatures. Also, packages have to have a trusted signature to be added to the repos too.

Thedemon007 · 2012-03-04 10:57:21

Allan wrote:

That link shows it does have three signatures... "pacman-key --refresh-keys"

"pacman-key --refresh-keys" out:

gpg: key C0711BF1: "Rashif Rahman (Ray) <schiv@archlinux.org>" not changed
gpg: key 2072D77A: "Seblu <seblu@seblu.net>" not changed
gpg: key EA433FC7: "Sergej Pupykin <arch@sergej.pp.ru>" not changed
gpg: key E62EB915: "Sven-Hendrik Haase <sh@lutzhaase.com>" not changed
gpg: key 0C84C0A5: "Thomas Dziedzic <gostrc@gmail.com>" not changed
gpg: key 295AFBF4: "Thorsten Tpper <atsutane@freethoughts.de>" not changed
gpg: key 3C4F88BC: "Timothy Redaelli <tredaelli@archlinux.info>" not changed
gpg: key C2E5C0D2: "Xyne. <xyne@archlinux.ca>" not changed
gpg: key 06361833: "Tom Gundersen <teg@jklm.no>" not changed
gpg: key 9741E8AC: "Pierre Schmitz <pierre@archlinux.de>" not changed
gpg: key EAE999BD: "Allan McRae <me@allanmcrae.com>" not changed
gpg: Total number processed: 57
gpg:              unchanged: 57

"pacman -Syu" :

:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 archlinuxfr is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...

Targets (1): os-prober-1.49-3

Total Installed Size:   0.10 MiB
Net Upgrade Size:       -0.07 MiB

Proceed with installation? [Y/n] Y
(1/1) checking package integrity                   [######################] 100%
error: os-prober: signature from "Timothy Redaelli <tredaelli@archlinux.info>" is marginal trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I think email timothy.redaelli@gmail.com yes have three signatures but tredaelli@archlinux.info not have signatures.

wonder · 2012-03-04 11:52:07

@Thedemon007 paste pacman-key --list-sigs

Thedemon007 · 2012-03-05 02:07:51

wonder wrote:

@Thedemon007 paste pacman-key --list-sigs

http://pastebin.archlinux.fr/438440

pub   2048R/3C4F88BC 2011-11-28
uid                  Timothy Redaelli <tredaelli@archlinux.info>
sig 3        3C4F88BC 2011-12-21  Timothy Redaelli <tredaelli@archlinux.info>
uid                  Timothy Redaelli <timothy.redaelli@gmail.com>
sig 3        3C4F88BC 2011-11-28  Timothy Redaelli <tredaelli@archlinux.info>
sig          6AC6A4C2 2011-12-21  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          4C7EA887 2011-12-23  [ID de usuario no encontrado]
sig          824B18E8 2012-01-03  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sub   2048R/28A38F04 2011-11-28
sig          3C4F88BC 2011-11-28  Timothy Redaelli <tredaelli@archlinux.info>
 
pub   2048R/C2E5C0D2 2011-11-24

Translate

[ID de usuario no encontrado] = [User ID not found]

Thank you wonder i delete key 4C7EA887 and add again manually.

$sudo pacman-key -d 4C7EA887
$sudo pacman-key -r 4C7EA887
$sudo pacman-key --edit-key 4C7EA887

gpg> lsign
...
 Primary key fingerprint: ...
...
Really sign? (y/N)y
Really sign? (y/N) y
gpg> trust
...
Your decision? 3
gpg> save
gpg: checking the trustdb
...

Last edited by Thedemon007 (2012-03-05 02:51:40)

Arch Linux

#1 2012-01-19 13:59:08

Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#2 2012-01-19 14:04:33

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#3 2012-01-19 14:06:05

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#4 2012-01-19 14:17:05

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#5 2012-01-19 15:07:09

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#6 2012-01-19 15:22:43

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#7 2012-01-19 15:26:34

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#8 2012-01-25 05:19:06

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#9 2012-03-02 03:37:18

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#10 2012-03-02 04:30:08

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#11 2012-03-02 05:27:50

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#12 2012-03-04 10:57:21

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#13 2012-03-04 11:52:07

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

#14 2012-03-05 02:07:51

Re: Signatures for community repos, e.g. xmlrpc-c: how establish trust?

Board footer