You are not logged in.

#1 2016-11-16 23:32:19

likytau
Member
Registered: 2012-09-02
Posts: 137

PGP keys and Aur packages

I've been setting up some new Arch systems in the past few weeks (heh.. I have a lot of packages to install, and unfortunately some need supervision and others suffered critical existence failure while I wasn't looking. But mostly it can be put down to packup's restore function being useless if any error conditions are encountered.)

.. Anyway, I tried to install mimeo, but the following command was needed before it would work. Otherwise it complained about unknown public key and wouldn't continue building.

gpg --recv-keys --keyserver hkp://pgp.mit.edu 1D1F0DC78F173680

Taken from NuSkool's comment in AUR; maybe it should be included in OP?

Last edited by likytau (2016-11-16 23:35:15)

Offline

#2 2016-11-17 02:55:20

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,412
Website

Re: PGP keys and Aur packages

That issue comes up regularly with new users and I often hesitate to launch  a command with aurtomatic to post a comment to all of my AUR packages with the solution. The reason I don't is that it is not a package issue but rather a makepkg "issue". It would only lead to clutter if every package that uses PGP signatures required such a comment in the AUR. The comment doesn't belong in this thread because it isn't an "upstream" issue.

The ideal solution would be for makepkg to make it clearer to users what the issue is, but it can be argued that it already does. The information is already available for anyone who searches. If someone can't find it, they won't find my comments either.  I think at least one of my AUR pages has a comment asking for help with the issue just a few posts above the solution.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#3 2016-11-17 06:34:31

likytau
Member
Registered: 2012-09-02
Posts: 137

Re: PGP keys and Aur packages

Not all packages with PGP signing require specification of the keyserver. I've already installed a few such packages by simply using `pacman-key -r $KEYID` before building , but that doesn't work with this package. This makes me wonder whether we are really discussing the same problem, given that you say

It would only lead to clutter if every package that uses PGP signatures required such a comment in the AUR.

Offline

#4 2016-11-17 21:22:06

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,412
Website

Re: PGP keys and Aur packages

likytau wrote:
gpg --recv-keys --keyserver hkp://pgp.mit.edu 1D1F0DC78F173680
likytau wrote:

Not all packages with PGP signing require specification of the keyserver. I've already installed a few such packages by simply using `pacman-key -r $KEYID` before building , but that doesn't work with this package. This makes me wonder whether we are really discussing the same problem

You are comparing gpg, which uses the user's keyring and configuration, to pacman-key, which uses its own keyring and configuration (including a key server).

I suspect that you are confusing package installation from the official repos via pacman with building packages via makepkg. Building packages via makepkg uses the user's keyring for verification via gpg, which is why you need to import those keys to your user keyring. Installing packages from the repos uses the system-wide keyring provided by the archlinux-keyring package via pacman-key.

Incidentally, my signing key on the AUR is the same as my TU signing key so it should already be in pacman-key (you can test it by using "pacman-key --verify" on the Mimeo source files).


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#5 2016-11-18 00:26:57

likytau
Member
Registered: 2012-09-02
Posts: 137

Re: PGP keys and Aur packages

Frankly, my understanding of keyrings is rather vague. I did suspect that gpg might import into a different database than pacman-key, but since it worked I didn't look too closely into it. Thanks for the clarification on the situation there.

I can't agree that I am confusing package installation from official repos via pacman with building packages via makepkg, though: all packages I have had to invoke pacman-key for with have been AUR packages built using yaourt->makepkg behind the scenes. So it seems to me that I am comparing makepkg (mimeo) with makepkg (other packages).

What you are saying seems to imply that pacman-key doesn't affect the build of AUR/makepkg packages, but my experience was specifically that it does -- I attempted to build a package, got into 'verifying sources' phase, it failed with invalid key, I used pacman-key -r $KEY, rebuilt, no problems. This has occurred for about 4 packages so far.

Incidentally, my signing key on the AUR is the same as my TU signing key so it should already be in pacman-key (you can test it by using "pacman-key --verify" on the Mimeo source files).

That seems reasonable, and `pacman-key --verify mimeo*sig` does report 'Good signature from Xyne [...]'. Given the other factors I have described, I can only conclude that either a) the situation is more complicated than you describe, b) I'm misunderstanding you, or c) both.

Offline

#6 2016-11-18 02:48:30

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,412
Website

Re: PGP keys and Aur packages

Unless I am missing something, pacman-key normally isn't involved with building packages via makepkg. If refreshing keys with pacman-key enables yaourt to build some packages but not others then I would try to figure how it is using pacman-key. Given that my key is in the Arch keyring, it should "just work" if yaourt is using that to verify sources.

Which packages failed to build with yaourt before refreshing keys with pacman-key, and then built successfully afterwards?


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#7 2016-11-18 03:19:40

likytau
Member
Registered: 2012-09-02
Posts: 137

Re: PGP keys and Aur packages

Nope, sorry, that was days and hundreds of packages ago, and pacman-key -l doesn't provide anything particularly revealing, nor does /var/log/pacman.log.

Offline

#8 2016-11-18 03:51:04

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 2,853

Re: PGP keys and Aur packages

It sounds like you have specified "keyring /etc/pacman.d/gnupg/pubring.gpg" in your ~/.gnupg/gpg.conf -- and therefore gpg has included your pacman-key keyring.
Because, there is absolutely no other explanation for adding a key to pacman-key and then having access to it in gpg.

pacman uses GnuPG with a GNUPGHOME=/etc/pacman.d/gnupg to track the trusted pacman keys, your user uses the default GNUPGHOME=~/.gnupg
pacman-key is nothing but a wrapper script which adds the --homedir option to gpg and offers usage options specific to the pacman keyring...

One of the pacman-key options automatically sets the keyserver to one arbitrarily chosen by pacman developers. It shouldn't really matter, since most servers sync with each other, but regardless, if you are having gpg issues preventing you from downloading keys, then that has nothing to do with mimeo and you should open a new thread asking why you, specifically, are having issues.

tl;dr
Nothing to do with this thread, moving on...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2016-11-18 22:29:59

likytau
Member
Registered: 2012-09-02
Posts: 137

Re: PGP keys and Aur packages

Eschwartz wrote:

It sounds like you have specified "keyring /etc/pacman.d/gnupg/pubring.gpg" in your ~/.gnupg/gpg.conf -- and therefore gpg has included your pacman-key keyring.
Because, there is absolutely no other explanation for adding a key to pacman-key and then having access to it in gpg.

Well it's easy to see that assertion is wrong, since ~/.gnupg/gpg.conf is completely default (only contains commented lines and blank lines, verified using `grep -Ev '^[#]' ~/.gnupg/gpg.conf`)

One of the pacman-key options automatically sets the keyserver to one arbitrarily chosen by pacman developers. It shouldn't really matter, since most servers sync with each other, but regardless, if you are having gpg issues preventing you from downloading keys, then that has nothing to do with mimeo and you should open a new thread asking why you, specifically, are having issues.

Key, singular. I don't see why Xyne's key should be special either (or why I should need to manually download it at all seeing as he's TU), but there you go. Other keys are fine and, as I pointed out, there is no custom gpg configuration confusing the issue.

Offline

#10 2016-11-19 02:28:46

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,412
Website

Re: PGP keys and Aur packages

likytau wrote:

Key, singular. I don't see why Xyne's key should be special either (or why I should need to manually download it at all seeing as he's TU), but there you go. Other keys are fine and, as I pointed out, there is no custom gpg configuration confusing the issue.

You should need to download all keys used to check signatures with makepkg. The mystery here is that you were somehow able to refresh keys with pacman-key and get it to work when building the package. That is either due to yaourt's funky special sauce  or perhaps some confusion about the error messages (e.g. perhaps yaourt reports missing keys for the downloads pacman packages and not the source files).

In either case, this is not a mimeo issue or an issue with my key so I suggest that further discussion of the issue be moved to a new thread. Before doing that though, it would be good to double-check the assumptions made so far with working examples (i.e. a package that fails to build due to missing keys that subsequently builds after a refresh with pacman-key).


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#11 2016-11-20 02:09:44

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 2,853

Re: PGP keys and Aur packages

likytau wrote:
Eschwartz wrote:

It sounds like you have specified "keyring /etc/pacman.d/gnupg/pubring.gpg" in your ~/.gnupg/gpg.conf -- and therefore gpg has included your pacman-key keyring.
Because, there is absolutely no other explanation for adding a key to pacman-key and then having access to it in gpg.

Well it's easy to see that assertion is wrong, since ~/.gnupg/gpg.conf is completely default (only contains commented lines and blank lines, verified using `grep -Ev '^[#]' ~/.gnupg/gpg.conf`)

I don't know what you think I asserted, but what I actually asserted is that either:
you are wrong in your belief that pacman-key allowed you to successfully validate makepkg sources via GPG, which peviously failed due to a missing key,
OR
you had the keyring option.

But I will admit I just thought of a third option -- you could have gpg set via an environment variable, to use pacman-key's homedir. I cannot imagine why you would do such a thing, though (whereas I do use the keyring option).

And from the start, I suspected the answer was option #1. wink

Xyne wrote:

You should need to download all keys used to check signatures with makepkg. The mystery here is that you were somehow able to refresh keys with pacman-key and get it to work when building the package. That is either due to yaourt's funky special sauce  or perhaps some confusion about the error messages (e.g. perhaps yaourt reports missing keys for the downloads pacman packages and not the source files).

In either case, this is not a mimeo issue or an issue with my key so I suggest that further discussion of the issue be moved to a new thread. Before doing that though, it would be good to double-check the assumptions made so far with working examples (i.e. a package that fails to build due to missing keys that subsequently builds after a refresh with pacman-key).

Or just test whether the key is available with `gpg --list-public-keys`, rather than depend on status messages from yaourt or makepkg to merely imply the answer.

I can confirm that the yaourt sources only mentions gpg in one location, and that is when parsing options to pass --gpgdir on to pacman. Not that I expected any different, since I use yaourt to build gpg-signed package sources and ended up adding keyring to my gpg.conf specifically because yaourt does not have any such special sauce -- and rightly so!

Aren't you a moderator? Maybe you could just move this discussion...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#12 2016-12-03 17:49:06

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,412
Website

Re: PGP keys and Aur packages

Eschwartz wrote:

Aren't you a moderator? Maybe you could just move this discussion...

Indeed smile


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

Board footer

Powered by FluxBB