You are not logged in.

#1 2012-11-05 20:45:53

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,079
Website

[Solved] makepkg warning about unknown key

Hello,

when compiling cower 7-1 a strange warning was given by makepkg.

==> Verifying source file signatures with gpg...
cower-7.tar.gz ... FAILED (unknown public key 1EB2638FF56C0C53)
==> WARNING: Warnings have occurred while verifying the signatures.
    Please make sure you really trust them.

EDIT: The warning is shown due to signature files attached to the package. It can be solved for packages made by archlinux devs:
- run as user
"# gpg --list-keys"
  in order to create a gpg database for your current user, if it is not present already.

- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
  to the end of
~/.gnupg/gpg.conf.

WorMzy wrote:

Alternatively, run makepkg with --skippgpcheck to stop makepkg trying to validate the file with it's .sig file.

Last edited by teateawhy (2012-11-06 16:22:30)

Offline

#2 2012-11-05 21:24:12

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 5,951
Website

Re: [Solved] makepkg warning about unknown key

I assume that makepkg uses your gpg keychain, whereas pacman uses it's own.


Sakura:-
Mobo: ASUS P8Z77-V PRO // Processor: Intel Core i7-3770K 3.4GHz // GFX: nVidia GeForce GTX 970 Ti // RAM: 32GB (4x 8GB) Corsair DDR3 (@ 2133MHz) // Storage: 1x 3TB Seagate SATAII 5x 1TB Samsung SATAII, 2x 120GB Corsair SSD

Making lemonade from lemons since 2015.

Offline

#3 2012-11-05 22:01:46

karol
Archivist
Registered: 2009-05-06
Posts: 25,434

Re: [Solved] makepkg warning about unknown key

If it's just about cower, you can ask here: https://bbs.archlinux.org/viewtopic.php?id=97137

Offline

#4 2012-11-06 07:52:19

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,079
Website

Re: [Solved] makepkg warning about unknown key

WorMzy wrote:

I assume that makepkg uses your gpg keychain, whereas pacman uses it's own.

Thank you for the answer. Now i understand what happened. my Signature level "Optional" will only require keys to be checked if there is a key present. Usually aur submitters do not have a key and no warning shows up.

EDIT:)
The error will occur for all aur Packagebuilds
with attached keys.

The wiki pages about the aur, makepkg, and creating a package need to be updated about this. They do not mention makepkg is affiliated with gpg and checking keys during build time. Now i am reading more about the topic. http://allanmcrae.com/2011/08/pacman-pa … -repo-add/

If it's just about cower, you can ask here...

No, it will happen to other aur packages in certain cases, too, as explained above.

Last edited by teateawhy (2012-11-06 16:13:47)

Offline

#5 2012-11-06 11:45:03

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 5,951
Website

Re: [Solved] makepkg warning about unknown key

teateawhy wrote:

The error will occur only for aur Packagebuilds created by arch linux developers, because of present keys.

Mmm, not quite. You'll have the same problem with any PKGBUILD that has an unknown signature, not just AUR packages by the Arch devs.

The warning (it's not really an error) is coming up because the source tarball's signature is included in the source array:

source=("https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig})

That's a lazyman's way of writing:

source=("https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz"
        "https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz.sig")

makepkg is smart enough to know that .sig files are used to check the authenticy and integrity of it's namesake file, and so automagically runs a gpg check for you. At this point, since you're running makepkg as yourself, gpg is run as you, and uses your ~/.gnupg/pubring.gpg, which I assume doesn't have Dave's key in it. ('gpg --list-keys' would no doubt confirm that).

A quick fix for Arch dev packages would be to add "keyring /etc/pacman.d/gnupg/pubring.gpg" to the end of ~/.gnupg/gpg.conf.

Alternatively, run makepkg with --skippgpcheck to stop makepkg trying to validate the file with it's .sig file.


Sakura:-
Mobo: ASUS P8Z77-V PRO // Processor: Intel Core i7-3770K 3.4GHz // GFX: nVidia GeForce GTX 970 Ti // RAM: 32GB (4x 8GB) Corsair DDR3 (@ 2133MHz) // Storage: 1x 3TB Seagate SATAII 5x 1TB Samsung SATAII, 2x 120GB Corsair SSD

Making lemonade from lemons since 2015.

Offline

#6 2012-11-06 16:11:41

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,079
Website

Re: [Solved] makepkg warning about unknown key

Wormzy wrote:

You'll have the same problem with any PKGBUILD that has an unknown signature, not just AUR packages by the Arch devs.

Thanks for clearing this up, can you give an example for an aur package with signature, not made by arch devs?

Wormzy wrote:

gpg --list-keys

This command actually created the trustdb database,
and afterwards i added the suggested line.
When compiling again, the warning dissappeared .

==> Verifying source file signatures with gpg...
    cower-7.tar.gz ... Passed
==> Extracting Sources...

Thank you for the solution.

Last edited by teateawhy (2012-11-06 17:23:21)

Offline

#7 2012-11-07 00:54:26

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 5,951
Website

Re: [Solved] makepkg warning about unknown key

I'm sure there'll be one or two, but I can't think of any AUR packages off the top of my head. There's an abundance of non-AUR packages with signed source files though, e.g. bash, coreutils, less, readline, etc.

Note that the source files in these packages are not signed by the Arch devs, but by the respective project devs. For example, less is signed by Mark Nudelman.


Sakura:-
Mobo: ASUS P8Z77-V PRO // Processor: Intel Core i7-3770K 3.4GHz // GFX: nVidia GeForce GTX 970 Ti // RAM: 32GB (4x 8GB) Corsair DDR3 (@ 2133MHz) // Storage: 1x 3TB Seagate SATAII 5x 1TB Samsung SATAII, 2x 120GB Corsair SSD

Making lemonade from lemons since 2015.

Offline

#8 2012-11-08 03:27:32

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,675

Re: [Solved] makepkg warning about unknown key

But presumably that's only an issue if you use ABS? Otherwise, you aren't using the source packages, right?

Note that you can manually check the signature using pacman-key independently of makepkg since I guess this pulls the system wide pacman keys. (I just get a warning that the trustdb is not writeable which is good - it shouldn't be.)


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#9 2012-11-08 10:48:10

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 5,951
Website

Re: [Solved] makepkg warning about unknown key

cfr wrote:

But presumably that's only an issue if you use ABS?

I don't think it's an issue at all, to be honest. tongue

But the point is that any PKGBUILD can have a signed source tarball, not just ones developed by the Arch devs.


Sakura:-
Mobo: ASUS P8Z77-V PRO // Processor: Intel Core i7-3770K 3.4GHz // GFX: nVidia GeForce GTX 970 Ti // RAM: 32GB (4x 8GB) Corsair DDR3 (@ 2133MHz) // Storage: 1x 3TB Seagate SATAII 5x 1TB Samsung SATAII, 2x 120GB Corsair SSD

Making lemonade from lemons since 2015.

Offline

#10 2015-01-04 07:45:52

rajat
Member
Registered: 2013-10-10
Posts: 9

Re: [Solved] makepkg warning about unknown key

- run as user
"# gpg --list-keys"
  in order to create a gpg database for your current user, if it is not present already.
- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
  to the end of
~/.gnupg/gpg.conf.

This was a solution for me as well, I was trying to install wine-multimedia package from AUR and it was failing no matter what I did.

After searching the forums I found this solution and I would like to thank the author of this solution for his great help.

Regards
Rajat


Linux is easy.. People are Difficult

Offline

#11 2015-01-04 07:48:28

Allan
is always right
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,467
Website

Re: [Solved] makepkg warning about unknown key

rajat wrote:

- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
  to the end of
~/.gnupg/gpg.conf.


Why?   That adds the Arch Linux package keys to your local keyring.  This is basically useless for use with makepkg, where the people signing the source tarballs are the upstream developer and have nothing to do with Arch.  That only works for cower because an Arch packager develops cower.

Edit: http://allanmcrae.com/2015/01/two-pgp-k … rch-linux/

Offline

#12 2015-01-17 20:51:20

x-yuri
Member
Registered: 2013-01-06
Posts: 102

Re: [Solved] makepkg warning about unknown key

In other words, I had makepkg exiting with an error:

$ makepkg
==> Making package: cower 12-2 (Sat Jan 17 22:46:09 EET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found cower-12.tar.gz
  -> Found cower-12.tar.gz.sig
==> Validating source files with md5sums...
    cower-12.tar.gz ... Passed
    cower-12.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    cower-12.tar.gz ... FAILED (unknown public key 1EB2638FF56C0C53)
==> ERROR: One or more PGP signatures could not be verified!

So, I added the key to my keyring:

$ gpg --recv-key 1EB2638FF56C0C53
gpg: key F56C0C53: public key "Dave Reisner <d@falconindy.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

And was able to successfully create the package.

Offline

Board footer

Powered by FluxBB