You are not logged in.
Pages: 1
Topic closed
Hello,
when compiling cower 7-1 a strange warning was given by makepkg.
==> Verifying source file signatures with gpg...
cower-7.tar.gz ... FAILED (unknown public key 1EB2638FF56C0C53)
==> WARNING: Warnings have occurred while verifying the signatures.
Please make sure you really trust them.
EDIT: The warning is shown due to signature files attached to the package. It can be solved for packages made by archlinux devs:
- run as user
"# gpg --list-keys"
in order to create a gpg database for your current user, if it is not present already.
- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
to the end of
~/.gnupg/gpg.conf.
Alternatively, run makepkg with --skippgpcheck to stop makepkg trying to validate the file with it's .sig file.
Last edited by teateawhy (2012-11-06 16:22:30)
Offline
I assume that makepkg uses your gpg keychain, whereas pacman uses it's own.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
If it's just about cower, you can ask here: https://bbs.archlinux.org/viewtopic.php?id=97137
Offline
I assume that makepkg uses your gpg keychain, whereas pacman uses it's own.
Thank you for the answer. Now i understand what happened. my Signature level "Optional" will only require keys to be checked if there is a key present. Usually aur submitters do not have a key and no warning shows up.
EDIT:)
The error will occur for all aur Packagebuilds
with attached keys.
The wiki pages about the aur, makepkg, and creating a package need to be updated about this. They do not mention makepkg is affiliated with gpg and checking keys during build time. Now i am reading more about the topic. http://allanmcrae.com/2011/08/pacman-pa … -repo-add/
If it's just about cower, you can ask here...
No, it will happen to other aur packages in certain cases, too, as explained above.
Last edited by teateawhy (2012-11-06 16:13:47)
Offline
The error will occur only for aur Packagebuilds created by arch linux developers, because of present keys.
Mmm, not quite. You'll have the same problem with any PKGBUILD that has an unknown signature, not just AUR packages by the Arch devs.
The warning (it's not really an error) is coming up because the source tarball's signature is included in the source array:
source=("https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig})
That's a lazyman's way of writing:
source=("https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz"
"https://github.com/downloads/falconindy/$pkgname/$pkgname-$pkgver.tar.gz.sig")
makepkg is smart enough to know that .sig files are used to check the authenticy and integrity of it's namesake file, and so automagically runs a gpg check for you. At this point, since you're running makepkg as yourself, gpg is run as you, and uses your ~/.gnupg/pubring.gpg, which I assume doesn't have Dave's key in it. ('gpg --list-keys' would no doubt confirm that).
A quick fix for Arch dev packages would be to add "keyring /etc/pacman.d/gnupg/pubring.gpg" to the end of ~/.gnupg/gpg.conf.
Alternatively, run makepkg with --skippgpcheck to stop makepkg trying to validate the file with it's .sig file.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
You'll have the same problem with any PKGBUILD that has an unknown signature, not just AUR packages by the Arch devs.
Thanks for clearing this up, can you give an example for an aur package with signature, not made by arch devs?
gpg --list-keys
This command actually created the trustdb database,
and afterwards i added the suggested line.
When compiling again, the warning dissappeared .
==> Verifying source file signatures with gpg...
cower-7.tar.gz ... Passed
==> Extracting Sources...
Thank you for the solution.
Last edited by teateawhy (2012-11-06 17:23:21)
Offline
I'm sure there'll be one or two, but I can't think of any AUR packages off the top of my head. There's an abundance of non-AUR packages with signed source files though, e.g. bash, coreutils, less, readline, etc.
Note that the source files in these packages are not signed by the Arch devs, but by the respective project devs. For example, less is signed by Mark Nudelman.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
But presumably that's only an issue if you use ABS? Otherwise, you aren't using the source packages, right?
Note that you can manually check the signature using pacman-key independently of makepkg since I guess this pulls the system wide pacman keys. (I just get a warning that the trustdb is not writeable which is good - it shouldn't be.)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
But presumably that's only an issue if you use ABS?
I don't think it's an issue at all, to be honest.
But the point is that any PKGBUILD can have a signed source tarball, not just ones developed by the Arch devs.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
- run as user
"# gpg --list-keys"
in order to create a gpg database for your current user, if it is not present already.
- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
to the end of
~/.gnupg/gpg.conf.
This was a solution for me as well, I was trying to install wine-multimedia package from AUR and it was failing no matter what I did.
After searching the forums I found this solution and I would like to thank the author of this solution for his great help.
Regards
Rajat
Linux is easy.. People are Difficult
Offline
- add
"keyring /etc/pacman.d/gnupg/pubring.gpg"
to the end of
~/.gnupg/gpg.conf.
Why? That adds the Arch Linux package keys to your local keyring. This is basically useless for use with makepkg, where the people signing the source tarballs are the upstream developer and have nothing to do with Arch. That only works for cower because an Arch packager develops cower.
Offline
In other words, I had makepkg exiting with an error:
$ makepkg
==> Making package: cower 12-2 (Sat Jan 17 22:46:09 EET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found cower-12.tar.gz
-> Found cower-12.tar.gz.sig
==> Validating source files with md5sums...
cower-12.tar.gz ... Passed
cower-12.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
cower-12.tar.gz ... FAILED (unknown public key 1EB2638FF56C0C53)
==> ERROR: One or more PGP signatures could not be verified!
So, I added the key to my keyring:
$ gpg --recv-key 1EB2638FF56C0C53
gpg: key F56C0C53: public key "Dave Reisner <d@falconindy.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
And was able to successfully create the package.
Offline
You can use
GNUPGHOME=/etc/pacman.d/gnupg makepkg ...
so you don't have to modify your users gpg keyring and instead use pacmans.
Offline
Thanks for sharing, but please don't necrobump.
https://wiki.archlinux.org/index.php/Co … bumping.22
Closing.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Pages: 1
Topic closed