One or more PGP signatures could not be verified!

Quatro · 2015-01-07 07:13:05

Trying to install anything with pacaur or using makepkg gives out this error:

==> Making package: cower 12-2 (Wed Jan  7 07:11:25 WET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading cower-12.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 22636  100 22636    0     0  60301      0 --:--:-- --:--:-- --:--:-- 60362
  -> Downloading cower-12.tar.gz.sig...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   287  100   287    0     0   1136      0 --:--:-- --:--:-- --:--:--  1134
==> Validating source files with md5sums...
    cower-12.tar.gz ... Passed
    cower-12.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    cower-12.tar.gz ... FAILED (unknown public key 1EB2638FF56C0C53)
==> ERROR: One or more PGP signatures could not be verified!

Can someone help?

jasonwryan · 2015-01-07 07:37:46

http://allanmcrae.com/2015/01/two-pgp-k … rch-linux/

Quatro · 2015-01-07 18:41:32

I'm sorry. I still don't what to do. I added the invalid key using pacman key, but it still doesn't work.

Head_on_a_Stick · 2015-01-07 18:51:45

Allan "Broke It" Mcrae wrote:

To get the key use “gpg --recv-key <KEYID>” and trust it (once suitably verified) using “gpg --lsign <KEYID>“.

Did you actually read the blog?

The whole point is that you're not supposed to add public PGP keys to pacman's keyring, you add it to your user's keyring (providing you trust the vendor).

Last edited by Head_on_a_Stick (2015-01-07 18:55:25)

progandy · 2015-01-07 18:52:40

Makepkg doesn't use the pacman keyring, but the one for your username (~/.gnupg/) You'll have to add keys with "gpg --recv-keys" and not pacman-key.

mir91 · 2015-01-16 15:55:06

I get

==> Verifying source file signatures with gpg...
    linux-3.18.tar ... FAILED (unknown public key 79BE3E4300411886)
    patch-3.18.2 ... FAILED (unknown public key 38DBBDC86092693E)

$ gpg --recv-key 79BE3E4300411886

gpg: keyserver receive failed: Address family not supported by protocol

when trying to add the key.

Last edited by mir91 (2015-01-16 15:56:23)

TE · 2015-01-16 16:46:09

Quatro, back to your question -- I have the same problem with cower (the engine behind pacaur), that's what's trying to upgrade - cower is using the shared libraries from pacman, so with the new pacman-4.2 upgrade you have to rebuild/upgrade cower to link to the new libs. His PKGBUILD has this:

source=("http://code.falconindy.com/archive/$pkgname/$pkgname-$pkgver.tar.gz"{,.sig})
validpgpkeys=('487EACC08557AD082088DABA1EB2638FF56C0C53')  # Dave Reisner

It just never works right for me, you're supposed to import his key somehow but I never want to be bothered as I have too many systems and just don't care. If you just do this real quick instead:

curl -L -O https://aur.archlinux.org/packages/co/cower/cower.tar.gz
tar -zxvf cower.tar.gz 
cd cower
makepkg -s --skippgpcheck
sudo pacman -U cower-*.pkg.tar.xz

...that will upgrade your cower skipping the GPG issue, then allow your pacaur to work again. Yes, it's taking a "risk" by not verifying the source as the author intends, but that's no different than any other AUR package. $0.02, evaluate your own risks.

jasonwryan · 2015-01-16 18:27:23

TE wrote:

you're supposed to import his key somehow but I never want to be bothered as I have too many systems and just don't care.

Like everything else, this can be automated with a couple of lines in your ~/.gnupg/gpg.conf file, as described in the wiki.

Potomac · 2015-01-16 21:01:11

jasonwryan wrote:

TE wrote:
you're supposed to import his key somehow but I never want to be bothered as I have too many systems and just don't care.
Like everything else, this can be automated with a couple of lines in your ~/.gnupg/gpg.conf file, as described in the wiki.

I don't find this part in the wiki, can you tell me exactly where have you read this ?

https://wiki.archlinux.org/index.php/Gnupg

clfarron4 · 2015-01-16 21:09:31

Potomac wrote:

jasonwryan wrote:
TE wrote:
you're supposed to import his key somehow but I never want to be bothered as I have too many systems and just don't care.
Like everything else, this can be automated with a couple of lines in your ~/.gnupg/gpg.conf file, as described in the wiki.
I don't find this part in the wiki, can you tell me exactly where have you read this ?
https://wiki.archlinux.org/index.php/Gnupg

I saw automatic importing of missing keys in this BBS thread. Don't know if it is in the ArchWiki though.

Last edited by clfarron4 (2015-01-16 21:09:53)

TE · 2015-01-16 23:53:45

clfarron4 wrote:

Potomac wrote:
jasonwryan wrote:
Like everything else, this can be automated with a couple of lines in your ~/.gnupg/gpg.conf file, as described in the wiki.
I don't find this part in the wiki, can you tell me exactly where have you read this ?
https://wiki.archlinux.org/index.php/Gnupg
I saw automatic importing of missing keys in this BBS thread. Don't know if it is in the ArchWiki though.

Just found it here: https://wiki.archlinux.org/index.php/Ma … e_checking

It is a personal preference, I don't want to import Arch/AUR keys into my normal personal keyring - but reading the gpg (and makepkg) manpage it looks like if you set GNUPGHOME=/some/path first that should work to set a special keyring just for AUR and a custom config from the wiki.

bleach · 2015-01-17 00:14:31

have you tried keyserver-options auto-key-retrieve in gpg.conf

^never mind TE point to that.

Last edited by bleach (2015-01-17 00:20:37)

mir91 · 2015-01-17 01:38:31

So does anyone know why gpg says "Address family not supported by protocol" or should I make a new forum thread for that question?

jasonwryan · 2015-01-17 01:39:56

That's a different topic. When you open it, paste the commands that you used and the verbose debug output.

khaled · 2016-02-15 02:30:03

gpg --recv-keys 2E1AC68ED40814E0
makepkg -sci

x33a · 2016-02-15 04:45:25

@khaled,

please don't necrobump.

https://wiki.archlinux.org/index.php/Fo … bumping.22

Closing.

Arch Linux

#1 2015-01-07 07:13:05

One or more PGP signatures could not be verified!

#2 2015-01-07 07:37:46

Re: One or more PGP signatures could not be verified!

#3 2015-01-07 18:41:32

Re: One or more PGP signatures could not be verified!

#4 2015-01-07 18:51:45

Re: One or more PGP signatures could not be verified!

#5 2015-01-07 18:52:40

Re: One or more PGP signatures could not be verified!

#6 2015-01-16 15:55:06

Re: One or more PGP signatures could not be verified!

#7 2015-01-16 16:46:09

Re: One or more PGP signatures could not be verified!

#8 2015-01-16 18:27:23

Re: One or more PGP signatures could not be verified!

#9 2015-01-16 21:01:11

Re: One or more PGP signatures could not be verified!

#10 2015-01-16 21:09:31

Re: One or more PGP signatures could not be verified!

#11 2015-01-16 23:53:45

Re: One or more PGP signatures could not be verified!

#12 2015-01-17 00:14:31

Re: One or more PGP signatures could not be verified!

#13 2015-01-17 01:38:31

Re: One or more PGP signatures could not be verified!

#14 2015-01-17 01:39:56

Re: One or more PGP signatures could not be verified!

#15 2016-02-15 02:30:03

Re: One or more PGP signatures could not be verified!

#16 2016-02-15 04:45:25

Re: One or more PGP signatures could not be verified!

Board footer