You are not logged in.

#1 2019-11-04 17:56:53

MintCollie
Member
Registered: 2019-10-23
Posts: 13

[SOLVED]How to verify pgp key from pacman?

Hello everyone,

Today I ran sudo pacman -Syu and was presented with two new questions that I haven't encountered with my brief time with arch. It asked me to import two pgp keys. The first was from a "Christian Hesse <arch@eworm.de>" which I was able to find on the wiki and felt safe enough with adding it. But the second one gave me an error so I did not import it and pacman error'ed out.

error: cryptsetup: key "PGPKEY" is unknown

would there be any way to verify the pgp key somewhere?
(i removed the pgp key from the code as I was afraid if i should share it or not.)

Last edited by MintCollie (2019-11-11 05:06:57)

Offline

#2 2019-11-04 18:06:45

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

Please post the command you used and its full output.  The pgp signature is not the a private key.
The key you added for Christian Hesse is used to signed the cryptsetup package,  so how did you add it?
Also the output of the following please

pacman-key --list-keys eworm

Last edited by loqs (2019-11-04 18:08:28)

Offline

#3 2019-11-04 18:30:38

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,272
Website

Re: [SOLVED]How to verify pgp key from pacman?

As I understand it (which honestly isn't that far) you should be safe simply answering yes to those questions from pacman.  It is wise to be careful with the initial accepting of the master keys, but Christian Hesse's is not one of these.  Rather Christian Hesse's key is signed by the 6 master keys, so pacman can automatically import it (you trust the master keys, and the master key holders trust Christian Hesse, so you do not need to go out of your way to verify his key/sig).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2019-11-04 22:16:34

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:

Please post the command you used and its full output.  The pgp signature is not the a private key.
The key you added for Christian Hesse is used to signed the cryptsetup package,  so how did you add it?
Also the output of the following please

pacman-key --list-keys eworm

ok so I have a huge output here so I hope that thats alright to post and im hoping this is what your asking for

[mint@arch-server ~]$ sudo pacman -Syu
[sudo] password for mint: 
:: Synchronizing package databases...
 core                    133.6 KiB   292 KiB/s 00:00 [###########################] 100%
 extra                  1641.5 KiB  2.90 MiB/s 00:01 [###########################] 100%
 community                 4.8 MiB  7.15 MiB/s 00:01 [###########################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (8) bluez-libs-5.52-1  cryptsetup-2.2.2-1  go-2:1.13.4-1  iana-etc-20191030-1
             libedit-20191025_3.1-1  libnm-1.20.4-2  networkmanager-1.20.4-2
             pacman-5.2.1-1

Total Download Size:   127.91 MiB
Total Installed Size:  515.68 MiB
Net Upgrade Size:       -0.33 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 iana-etc-20191030-...   368.5 KiB   582 KiB/s 00:01 [###########################] 100%
 cryptsetup-2.2.2-1...   470.1 KiB  2.92 MiB/s 00:00 [###########################] 100%
 libedit-20191025_3...    99.1 KiB  32.3 MiB/s 00:00 [###########################] 100%
 pacman-5.2.1-1-x86_64   742.7 KiB  4.19 MiB/s 00:00 [###########################] 100%
 bluez-libs-5.52-1-...    70.6 KiB  17.2 MiB/s 00:00 [###########################] 100%
 libnm-1.20.4-2-x86_64  1042.8 KiB  5.48 MiB/s 00:00 [###########################] 100%
 networkmanager-1.2...     2.8 MiB  4.55 MiB/s 00:01 [###########################] 100%
 go-2:1.13.4-1-x86_64    122.4 MiB  7.48 MiB/s 00:16 [###########################] 100%
(8/8) checking keys in keyring                       [###########################] 100%
downloading required keys...
:: Import PGP key 6D42BDD116E0068F, "Christian Hesse <arch@eworm.de>"? [Y/n] y
(8/8) checking package integrity                     [###########################] 100%
error: cryptsetup: key "0429897DE5F3BDAC537A30696D42BDD116E0068F" is unknown
:: Import PGP key 0429897DE5F3BDAC537A30696D42BDD116E0068F? [Y/n] n
:: File /var/cache/pacman/pkg/cryptsetup-2.2.2-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
[mint@arch-server ~]$ 

as you can see it asked me to add the PGP key 6D42BDD116E0068F which is where i got Christian Hesse from.

here is the output of

pacman-key --list-keys eworm
[mint@arch-server ~]$ pacman-key --list-keys eworm
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD1C7A934E614545849F19A6234074498E9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]

Offline

#5 2019-11-04 22:35:55

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

gpg --homedir /etc/pacman.d/gnupg --fingerprint --fingerprint eworm
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg'
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]
      9269 AECC A0E1 AF21 1A78  5CFB 51F0 0134 67F1 E8BF
sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F
sub   cv25519 2019-08-29 [E]
      BEEC 2D8D 85F4 CFC3 7B69  FE5F BCC3 A7D4 E4CE 4CE4

The package is signed by the ed25519 subkey which is missing from the pacman keyring.
What version is archlinux-keyring?

Offline

#6 2019-11-06 14:51:08

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:
gpg --homedir /etc/pacman.d/gnupg --fingerprint --fingerprint eworm
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg'
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]
      9269 AECC A0E1 AF21 1A78  5CFB 51F0 0134 67F1 E8BF
sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F
sub   cv25519 2019-08-29 [E]
      BEEC 2D8D 85F4 CFC3 7B69  FE5F BCC3 A7D4 E4CE 4CE4

The package is signed by the ed25519 subkey which is missing from the pacman keyring.
What version is archlinux-keyring?

I ran the same command as you listed and im missing the ed25519 & cv25519 subkeys.
How would I go about checking what version archlinux-keyring is?

Offline

#7 2019-11-06 15:03:55

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

Pacman#Querying_package_databases

pacman -Q archlinux-keyring

Offline

#8 2019-11-06 15:17:48

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:

Pacman#Querying_package_databases

pacman -Q archlinux-keyring

Thank you!
This was the output I received.

[mint@arch-server ~]$ pacman -Q archlinux-keyring
archlinux-keyring 20191018-1

Offline

#9 2019-11-06 17:55:12

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

I was able to update successfully after running

sudo pacman-key --refresh-keys

was that the correct thing to do?

Offline

#10 2019-11-06 18:56:02

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

Either allowing pacman to download the key or `pacman-key --refresh-keys` should achieve the same result and are correct solutions to the issue.
As Trilby already noted those solutions require the keys obtained to be signed by already trusted keys.

It is surprising that the keyring did not contain the key already as it is in the archlinux-keyring package on your system.
The following creates a temporary new pacman-keyring,  populates it from archlinux-keyring than looks for eworm's keys,
on my system it matched the result from post #5.

# pacman-key --gpgdir /tmp/gnupg --import
# pacman-key --gpgdir /tmp/gnupg --populate
gpg --homedir /tmp/gnupg --fingerprint --fingerprint eworm

Offline

#11 2019-11-06 22:15:06

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:

Either allowing pacman to download the key or `pacman-key --refresh-keys` should achieve the same result and are correct solutions to the issue.
As Trilby already noted those solutions require the keys obtained to be signed by already trusted keys.

It is surprising that the keyring did not contain the key already as it is in the archlinux-keyring package on your system.
The following creates a temporary new pacman-keyring,  populates it from archlinux-keyring than looks for eworm's keys,
on my system it matched the result from post #5.

# pacman-key --gpgdir /tmp/gnupg --import
# pacman-key --gpgdir /tmp/gnupg --populate
gpg --homedir /tmp/gnupg --fingerprint --fingerprint eworm

when I try to run

pacman-key --gpgdir /tmp/gnupg --populate

I get the following error

==> ERROR: No targets specified

Offline

#12 2019-11-06 22:33:24

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

pacman-key --gpgdir /tmp/gnupg --populate archlinux

Offline

#13 2019-11-07 16:14:00

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:
pacman-key --gpgdir /tmp/gnupg --populate archlinux

ah thank you, I ran that command and it seemed to work but it's saying dont have correct permissions even with sudo.

==> ERROR: You do not have sufficient permissions to read the pacman keyring.
==> Use 'pacman-key --init' to correct the keyring permissions.

Offline

#14 2019-11-07 17:15:16

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

I tried running

sudo pacman-key --init

and rerunning the previous command  but I get the same error.

Offline

#15 2019-11-07 17:37:57

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

Output from this system

$ sudo pacman-key --gpgdir /tmp/gnupg --init
gpg: /tmp/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/tmp/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key 8F0DFB9AE1DDFC8E marked as ultimately trusted
gpg: directory '/tmp/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/gnupg/openpgp-revocs.d/2D8936B8205A0907F127F1288F0DFB9AE1DDFC8E.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
$ sudo pacman-key --gpgdir /tmp/gnupg --populate archlinux
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
  -> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
  -> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
  -> Disabling key 50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F...
  -> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
  -> Disabling key 39F880E50E49A4D11341E8F939E4F17F295AFBF4...
  -> Disabling key 8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA...
  -> Disabling key 5559BC1A32B8F76B3FCCD9555FA5E5544F010D48...
  -> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
  -> Disabling key 07DFD3A0BC213FA12EDC217559B3122E2FA915EC...
  -> Disabling key 4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD...
  -> Disabling key 5A2257D19FF7E1E0E415968CE62F853100F0D0F0...
  -> Disabling key D921CABED130A5690EF1896E81AF739EC0711BF1...
  -> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
  -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  -> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
  -> Disabling key 5696C003B0854206450C8E5BE613C09CB4440678...
  -> Disabling key 684148BB25B49E986A4944C55184252D824B18E8...
  -> Disabling key 8CF934E339CAD8ABF342E822E711306E3C4F88BC...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
  -> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
  -> Disabling key 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A...
  -> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
  -> Disabling key 34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5...
  -> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
  -> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
  -> Disabling key 5357F3B111688D88C1D88119FCF2CB179205AC90...
  -> Disabling key FB871F0131FEA4FB5A9192B4C8880A6406361833...
  -> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
  -> Disabling key B1F2C889CB2CCB2ADA36D963097D629E437520BD...
  -> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
  -> Disabling key 76B4192E902C0A52642C63C273B8ED52F1D357C1...
  -> Disabling key 40776A5221EF5AD468A4906D42A1DB15EC133BAD...
  -> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
  -> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Updating trust database...
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   5  signed:  79  trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  74  signed:  24  trust: 74-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2020-01-22
$ gpg --homedir /tmp/gnupg --fingerprint --fingerprint eworm
gpg: WARNING: unsafe ownership on homedir '/tmp/gnupg'
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]
      9269 AECC A0E1 AF21 1A78  5CFB 51F0 0134 67F1 E8BF
sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F
sub   cv25519 2019-08-29 [E]
      BEEC 2D8D 85F4 CFC3 7B69  FE5F BCC3 A7D4 E4CE 4CE4

Offline

#16 2019-11-08 15:23:56

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:

Output from this system

$ sudo pacman-key --gpgdir /tmp/gnupg --init
gpg: /tmp/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/tmp/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key 8F0DFB9AE1DDFC8E marked as ultimately trusted
gpg: directory '/tmp/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/gnupg/openpgp-revocs.d/2D8936B8205A0907F127F1288F0DFB9AE1DDFC8E.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
$ sudo pacman-key --gpgdir /tmp/gnupg --populate archlinux
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
  -> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
  -> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
  -> Disabling key 50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F...
  -> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
  -> Disabling key 39F880E50E49A4D11341E8F939E4F17F295AFBF4...
  -> Disabling key 8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA...
  -> Disabling key 5559BC1A32B8F76B3FCCD9555FA5E5544F010D48...
  -> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
  -> Disabling key 07DFD3A0BC213FA12EDC217559B3122E2FA915EC...
  -> Disabling key 4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD...
  -> Disabling key 5A2257D19FF7E1E0E415968CE62F853100F0D0F0...
  -> Disabling key D921CABED130A5690EF1896E81AF739EC0711BF1...
  -> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
  -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  -> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
  -> Disabling key 5696C003B0854206450C8E5BE613C09CB4440678...
  -> Disabling key 684148BB25B49E986A4944C55184252D824B18E8...
  -> Disabling key 8CF934E339CAD8ABF342E822E711306E3C4F88BC...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
  -> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
  -> Disabling key 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A...
  -> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
  -> Disabling key 34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5...
  -> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
  -> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
  -> Disabling key 5357F3B111688D88C1D88119FCF2CB179205AC90...
  -> Disabling key FB871F0131FEA4FB5A9192B4C8880A6406361833...
  -> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
  -> Disabling key B1F2C889CB2CCB2ADA36D963097D629E437520BD...
  -> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
  -> Disabling key 76B4192E902C0A52642C63C273B8ED52F1D357C1...
  -> Disabling key 40776A5221EF5AD468A4906D42A1DB15EC133BAD...
  -> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
  -> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Updating trust database...
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   5  signed:  79  trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  74  signed:  24  trust: 74-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2020-01-22
$ gpg --homedir /tmp/gnupg --fingerprint --fingerprint eworm
gpg: WARNING: unsafe ownership on homedir '/tmp/gnupg'
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]
      9269 AECC A0E1 AF21 1A78  5CFB 51F0 0134 67F1 E8BF
sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F
sub   cv25519 2019-08-29 [E]
      BEEC 2D8D 85F4 CFC3 7B69  FE5F BCC3 A7D4 E4CE 4CE4

I was able to run that command

$ sudo pacman-key --gpgdir /tmp/gnupg --init
gpg: /tmp/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/tmp/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key 22D9ED8C19E47F79 marked as ultimately trusted
gpg: directory '/tmp/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/gnupg/openpgp-revocs.d/3AA7208E2ECE1A196931D30522D9ED8C19E47F79.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

So I tried running the code from post #12 again and received this error.

$ sudo pacman-key --gpgdir /tmp/gnupg --import archlinux
==> ERROR: File archlinux/pubring.gpg does not exist and could not be imported.

Offline

#17 2019-11-08 16:28:43

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

$ sudo pacman-key --gpgdir /tmp/gnupg --import archlinux

--import is not --populate

sudo pacman-key --gpgdir /tmp/gnupg --populate archlinux

Edit:
the commands I posted in post #10 were incorrect.  The ones I used in post #15 were correct.
In #10 the first command should have been

$ sudo pacman-key --gpgdir /tmp/gnupg --init

not

$ sudo pacman-key --gpgdir /tmp/gnupg --import

Last edited by loqs (2019-11-08 16:32:54)

Offline

#18 2019-11-08 18:37:58

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:
$ sudo pacman-key --gpgdir /tmp/gnupg --import archlinux

--import is not --populate

sudo pacman-key --gpgdir /tmp/gnupg --populate archlinux

Edit:
the commands I posted in post #10 were incorrect.  The ones I used in post #15 were correct.
In #10 the first command should have been

$ sudo pacman-key --gpgdir /tmp/gnupg --init

not

$ sudo pacman-key --gpgdir /tmp/gnupg --import

my apologies in running the incorrect command. I tried the --populate option and that ran correctly it seems.

$ sudo pacman-key --gpgdir /tmp/gnupg --populate archlinux
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
  -> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
  -> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
  -> Disabling key 50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F...
  -> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
  -> Disabling key 39F880E50E49A4D11341E8F939E4F17F295AFBF4...
  -> Disabling key 8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA...
  -> Disabling key 5559BC1A32B8F76B3FCCD9555FA5E5544F010D48...
  -> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
  -> Disabling key 07DFD3A0BC213FA12EDC217559B3122E2FA915EC...
  -> Disabling key 4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD...
  -> Disabling key 5A2257D19FF7E1E0E415968CE62F853100F0D0F0...
  -> Disabling key D921CABED130A5690EF1896E81AF739EC0711BF1...
  -> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
  -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  -> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
  -> Disabling key 5696C003B0854206450C8E5BE613C09CB4440678...
  -> Disabling key 684148BB25B49E986A4944C55184252D824B18E8...
  -> Disabling key 8CF934E339CAD8ABF342E822E711306E3C4F88BC...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
  -> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
  -> Disabling key 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A...
  -> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
  -> Disabling key 34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5...
  -> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
  -> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
  -> Disabling key 5357F3B111688D88C1D88119FCF2CB179205AC90...
  -> Disabling key FB871F0131FEA4FB5A9192B4C8880A6406361833...
  -> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
  -> Disabling key B1F2C889CB2CCB2ADA36D963097D629E437520BD...
  -> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
  -> Disabling key 76B4192E902C0A52642C63C273B8ED52F1D357C1...
  -> Disabling key 40776A5221EF5AD468A4906D42A1DB15EC133BAD...
  -> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
  -> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Updating trust database...
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   5  signed:  79  trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  74  signed:  24  trust: 74-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2020-01-22

then following with what I think are the next instructions ( sorry still a bit confused with everything im doing) and got this

$ gpg --homedir /tmp/gnupg --fingerprint --fingerprint eworm
gpg: WARNING: unsafe ownership on homedir '/tmp/gnupg'
gpg: Note: trustdb not writable
pub   rsa2048 2011-08-12 [SC]
      02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
uid           [  full  ] Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>
sub   rsa2048 2011-08-12 [E]
      9269 AECC A0E1 AF21 1A78  5CFB 51F0 0134 67F1 E8BF
sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F
sub   cv25519 2019-08-29 [E]
      BEEC 2D8D 85F4 CFC3 7B69  FE5F BCC3 A7D4 E4CE 4CE4

Offline

#19 2019-11-08 19:01:08

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

From the output you posted in post #4

:: Import PGP key 0429897DE5F3BDAC537A30696D42BDD116E0068F? [Y/n] n

matches

sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F

Somehow although the alcrhlinux-keyring provided the correct subkey it was not added to pacman's keyring when the package was updated.
You resolved the issue with `sudo pacman-key --refresh-keys` which picked up the subkey from the keyservers.

Offline

#20 2019-11-08 22:06:09

MintCollie
Member
Registered: 2019-10-23
Posts: 13

Re: [SOLVED]How to verify pgp key from pacman?

loqs wrote:

From the output you posted in post #4

:: Import PGP key 0429897DE5F3BDAC537A30696D42BDD116E0068F? [Y/n] n

matches

sub   ed25519 2019-08-29 [S]
      0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F

Somehow although the alcrhlinux-keyring provided the correct subkey it was not added to pacman's keyring when the package was updated.
You resolved the issue with `sudo pacman-key --refresh-keys` which picked up the subkey from the keyservers.

wonderful, thank you for clearly explaining the issue to me, I do appreciate it! Would there be a way to figure out how the issue occurred in the first place or how to make sure I don't run into the same situation again in future Arch installs?

Offline

#21 2019-11-08 22:22:36

loqs
Member
Registered: 2014-03-06
Posts: 9,074

Re: [SOLVED]How to verify pgp key from pacman?

You could examine /var/log/pacman.log for the update containing archlinux-keyring 20191018-1 and see if it also contained entries similar to the following

[ALPM-SCRIPTLET] ==> Appending keys from archlinux.gpg...
....
[ALPM-SCRIPTLET] ==> Updating trust database...

If the entries are present I can not explain why the key was not added to pacman's keyring.
If the entries are not then the install script failed or was not called which again I can not explain.

There is nothing you should be doing differently on future installs.  pacstrap configures the keyring on initial installation without needing any configuration.
Normal pacman updates will pickup archlinux-keyring updates and do not require any user action.
If a package is signed with a key not in the keyring then you can safely accept it as it will not be trusted unless it has signatures from the master keys.

Last edited by loqs (2019-11-08 22:23:03)

Offline

Board footer

Powered by FluxBB