[solved] makechrootpkg and signing

schard · 2019-02-18 09:40:35

I migrated my build system to makechrootpkg.
Unfortunately I cannot build signed packages with it.

$ makechrootpkg -cr /home/buildroot -- --sign --key MYKEY
==> Synchronizing chroot copy [/home/buildroot/root] -> [build]...done
==> Making package: dynwg-git r42.5e18aa8-1 (Mon Feb 18 10:28:03 2019)
==> Retrieving sources...
  -> Updating dynwg git repo...
Fetching origin
==> Validating source files with md5sums...
    dynwg ... Skipped
==> ERROR: The key MYKEY does not exist in your keyring.
==> ERROR: Build failed, check /home/buildroot/build/build

So I built them without signing and wanted to sign them afterwards:

gpg -u MYKEY --output dynwg-git-r42.5e18aa8-1-any.pkg.tar.xz.sig --detach-sign dynwg-git-r42.5e18aa8-1-any.pkg.tar.xz

But packages signed this way, will be recognized as corrupted by pacman:

$ LANG=C sudo pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 homeinfo is up to date
 rne is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (1) dynwg-git-r42.5e18aa8-1

Total Download Size:   0.00 MiB
Total Installed Size:  0.03 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 dynwg-git-r42.5e18aa8-1-any                                                                            4.6 KiB  0.00B/s 00:00 [#############################################################################] 100%
(1/1) checking keys in keyring                                                                                                 [#############################################################################] 100%
(1/1) checking package integrity                                                                                               [#############################################################################] 100%
error: dynwg-git: signature from "Richard Neumann (http://www.richard-neumann.de/) <mail at richard dash neumann period de>" is invalid
:: File /var/cache/pacman/pkg/dynwg-git-r42.5e18aa8-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

How do I correctly sign my packages with makechrootpkg?

Update;
Basically, the manual signing works.
I had a bug in the signing script I used, which wrote the signature to "*.sig.sig" instead of "*.sig".
But I'd rather know how to directly sign using makechrootpkg.

Solution:
Stick with manual signing.

Last edited by schard (2019-02-21 14:12:14)

eschwartz · 2019-02-18 15:21:47

The most obvious issue is that your GnuPG keyring is not available inside makechrootpkg. You'll need to figure out a workflow for signing, either by forwarding the necessary socket or bind-mounting your $GNUPGHOME.

schard · 2019-02-18 15:37:30

Thanks. But, well, that sounds more complicated than the subsequent manual signing.

Alad · 2019-02-18 15:38:23

https://lists.archlinux.org/pipermail/a … 04341.html

Technically by specifying those variables as makepkg arguments, you can export them:

makechrootpkg -d ... -- DISPLAY=...

Eaiser to avoid all that by using PKGDEST=foo, foo/* or makepkg --packagelist to retrieve the package names, then sign manually.

eschwartz · 2019-02-18 15:39:08

It is -- that is why the release scripts we use in archlinux, will instead sign the package right before rsync'ing it to the repository server.

Arch Linux

#1 2019-02-18 09:40:35

[solved] makechrootpkg and signing

#2 2019-02-18 15:21:47

Re: [solved] makechrootpkg and signing

#3 2019-02-18 15:37:30

Re: [solved] makechrootpkg and signing

#4 2019-02-18 15:38:23

Re: [solved] makechrootpkg and signing

#5 2019-02-18 15:39:08

Re: [solved] makechrootpkg and signing

Board footer