You are not logged in.

#1 2020-05-23 15:28:59

regid
Member
Registered: 2016-06-06
Posts: 184

What happened to heftig gpg key?

  • makepkg supposedly lists the wrong key

$ makepkg --verifysource > /dev/null
    archlinux-linux ... Skipped
    config ... Passed
    sphinx-workaround.patch ... Passed
    archlinux-linux git repo ... FAILED (unknown public key 3B94A80E50A477C7)
==> ERROR: One or more PGP signatures could not be verified!

$ gpg --search-keys --batch 3B94A80E50A477C7
gpg: data source: https://209.244.105.201:443
(1)	Jan Alexander Steffens (heftig) <heftig@archlinux.org>
	Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
	Jan Alexander Steffens (heftig) <jan.steffens@ltnglobal.com>
	  256 bit EDDSA key 19802F8B0D70FC30, created: 2020-05-11
Keys 1-1 of 1 for "3B94A80E50A477C7".  gpg: Sorry, we are in batchmode - can't get input

Why does PKGBUILD lists A2FF3A36AAA56654109064AB19802F8B0D70FC30 for heftig key?

grep A2FF3A36AAA56654109064AB19802F8B0D70FC30 PKGBUILD
  'A2FF3A36AAA56654109064AB19802F8B0D70FC30'  # Jan Alexander Steffens (heftig)
  • makepkg over looks an entry for the key

In addition, I have an entry for heftig in my keyring.

gpg --list-keys heftig
pub   rsa2048 2011-08-25 [SC]
      8218F88849AAC522E94CF470A5E9288C4FA415FA
uid           [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid           [ unknown] Jan Alexander Steffens (heftig) <jan-alexander.steffens@smail.inf.h-brs.de>
uid           [ unknown] [jpeg image of size 3837]
uid           [ unknown] [jpeg image of size 3865]
sub   rsa2048 2011-08-25 [E]

Why makepkg doesn’t use that entry?

As an aside, a search engine referred me to [SOLVED] Custom Kernel - unknown public key, which is 1.5 years old and marked as solved. I think this thread might be of interest to any one who stumbled that thread. Is it reasonable to add there a message with a reference to this thread?

Last edited by regid (2020-05-23 15:48:32)


pantum-p1000-p2000-p3000-m5100-m5200-ppd-driver (AUR): PPDs, drivers, for Pantum P1000, P2000, P3000, M5100, M5200 printers.
powerofforreboot.efi (AUR): Utilities to be used from within a UEFI boot manager or shell.

Offline

#2 2020-05-23 16:19:03

loqs
Member
Registered: 2014-03-06
Posts: 12,113

Re: What happened to heftig gpg key?

gpg --fingerprint --fingerprint A2FF3A36AAA56654109064AB19802F8B0D70FC30
pub   ed25519 2020-05-11 [SC]
      A2FF 3A36 AAA5 6654 1090  64AB 1980 2F8B 0D70 FC30
uid           [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid           [ unknown] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
uid           [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@ltnglobal.com>
sub   ed25519 2020-05-11 [S]
      0668 7A1D 9D4F AB08 B50F  D92B 3B94 A80E 50A4 77C7
sub   ed25519 2020-05-11 [A]
      A3B1 C763 D7D5 6FEB 42FB  729C 76CF 819A 8AE1 A606
sub   cv25519 2020-05-11 [E]
      EB74 CB57 09BC F8A0 BB9A  8720 B936 6059 0553 8A6A

gpg --list-sig A2FF3A36AAA56654109064AB19802F8B0D70FC30
pub   ed25519 2020-05-11 [SC]
      A2FF3A36AAA56654109064AB19802F8B0D70FC30
uid           [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig 3        19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig 3        19802F8B0D70FC30 2020-05-22  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig          A5E9288C4FA415FA 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig 3        A5E9288C4FA415FA 2020-05-13  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid           [ unknown] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
sig 3        19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig          A5E9288C4FA415FA 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig 3        A5E9288C4FA415FA 2020-05-13  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig          3348882F6AC6A4C2 2020-05-17  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          BA1DFB64FFF979E7 2020-05-22  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig          A88E23E377514E00 2020-05-21  Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
uid           [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@ltnglobal.com>
sig 3        19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig          A5E9288C4FA415FA 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sig 3        A5E9288C4FA415FA 2020-05-13  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sub   ed25519 2020-05-11 [S]
sig          19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sub   ed25519 2020-05-11 [A]
sig          19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
sub   cv25519 2020-05-11 [E]
sig          19802F8B0D70FC30 2020-05-11  Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>

Looks to be a new key adding the uid heftig@archlinux.org.  The key has been signed by the old key and three master keys.

Last edited by loqs (2020-05-23 16:19:36)

Offline

#3 2020-05-23 17:54:16

octylFractal
Member
Registered: 2019-12-07
Posts: 3

Re: What happened to heftig gpg key?

Importing the key listed in the PKGBUILD (A2FF3A36AAA56654109064AB19802F8B0D70FC30) fixes this issue, 3B94A80E50A477C7 is a subkey of that key.

Edit: I see that loqs' gpg output also shows this information, but since I myself was briefly stuck on this while upgrading my custom kernel, I figured I'd share a fix more explicitly.

Last edited by octylFractal (2020-05-23 17:56:22)

Offline

#4 2020-06-13 18:51:49

klapauzius
Member
Registered: 2019-07-22
Posts: 39

Re: What happened to heftig gpg key?

Jan A. Steffens' subkey 3B94A80E50A477C7 is not mentioned under

(1) https://www.archlinux.org/master-keys/
(2) https://keybase.io/heftig
(3) https://pgp.mit.edu/pks/lookup?op=vinde … 8B0D70FC30 (obviously broken)

When you google 3B94A80E50A477C7 you get hits for this thread and a short discussion on reddit.

However, keybase.io has got it, if you like to check with a second source:

> curl -s https://keybase.io/heftig/pgp_keys.asc\ … 8b0d70fc30 | gpg --with-colons --import-options import-show --dry-run --import | grep 3B94A80E50A477C7

Joanna Rutkowska and/or her qubes team explain very elaborately why that might be a good idea:
https://www.qubes-os.org/security/verifying-signatures/

Offline

#5 2020-06-14 12:47:50

langfingaz
Member
From: Germany
Registered: 2020-01-11
Posts: 1

Re: What happened to heftig gpg key?

klapauzius wrote:

Jan A. Steffens' subkey 3B94A80E50A477C7 is not mentioned under

(1) https://www.archlinux.org/master-keys/
(2) https://keybase.io/heftig
(3) https://pgp.mit.edu/pks/lookup?op=vinde … 8B0D70FC30 (obviously broken)

When you google 3B94A80E50A477C7 you get hits for this thread and a short discussion on reddit.

However, keybase.io has got it, if you like to check with a second source:

> curl -s https://keybase.io/heftig/pgp_keys.asc\ … 8b0d70fc30 | gpg --with-colons --import-options import-show --dry-run --import | grep 3B94A80E50A477C7

Joanna Rutkowska and/or her qubes team explain very elaborately why that might be a good idea:
https://www.qubes-os.org/security/verifying-signatures/

Thanks for the info! I was asked to import his key during a recend update and this helped verify his key!

Offline

#6 2020-06-14 17:31:07

jatec
Member
Registered: 2017-09-12
Posts: 3

Re: What happened to heftig gpg key?

Offline

#7 2020-06-16 08:41:41

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,021
Website

Re: What happened to heftig gpg key?

I have another question regarding this issue.
Why is pacman asking me multiple times to import this key?

Lade benötigte Schlüssel herunter...
:: Import PGP key 3B94A80E50A477C7, "Jan Alexander Steffens (heftig) <heftig@archlinux.org>"? [J/n] 
:: Import PGP key 3B94A80E50A477C7, "Jan Alexander Steffens (heftig) <heftig@archlinux.org>"? [J/n] 
:: Import PGP key 3B94A80E50A477C7, "Jan Alexander Steffens (heftig) <heftig@archlinux.org>"? [J/n] 

I just kept hitting enter and eventually pacman continued with the installation process.
I suspect that pacman issues this challenge for every package that is signed with a key not in the local keyring.
If this is the case, and I want to understand this first, I'll consider filing a feature request to enhance pacman to only do this once.

Offline

#8 2020-06-16 09:40:36

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,953
Website

Re: What happened to heftig gpg key?

schard wrote:

If this is the case, and I want to understand this first, I'll consider filing a feature request to enhance pacman to only do this once.

It is already fixed in the pacman code base.  But a new release has not been made yet.

Offline

#9 2020-06-16 09:50:30

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,021
Website

Re: What happened to heftig gpg key?

Awesome. Thanks for the feedback.

Offline

Board footer

Powered by FluxBB