You are not logged in.

#1 2021-03-01 22:52:48

moscow-hunt
Member
Registered: 2020-03-25
Posts: 23

my key: warning: Public keyring not found; run 'pacman-key --init'?

Hello guys. I previously posted under subject

building in chroot ==> ERROR: The key does not exist in your keyring

However, I make mistake. It have not to do with chroot. Too much confusion so I post again with clear subject. Hope that OK. Sorry for my mistake.

JZGEUTCPDW5SHN3X is my package signing key. Since problem start I perform these steps three times but not resolve my issue.

sudo rm -R /etc/pacman.d/gnupg/
sudo rm -R /root/.gnupg/ 
gpg --refresh-keys
sudo pacman-key --init && sudo pacman-key --populate archlinux
sudo pacman-key -a ~/.ssh/my_pkg_key.pub
sudo pacman-key --lsign-key JZGEUTCPDW5SHN3X
sudo pacman-key --finger JZGEUTCPDW5SHN3X

As I troubleshooot I also experiment with permissions and these commands:

sudo chmod 600 /etc/pacman.d/gnupg
gpg --refresh-keys
sudo pacman -Sy archlinux-keyring && pacman -Syyu
reboot

Issue not those permissions. I also try putting my secret key to /etc/pacman.d/gnupg keyring. None of these steps fix my problem.

First I thought it related to chroot because `pacman -Syu` with Arch packages has no problem. Then I try building one of my package outside the chroot and I find the following (and I make it print key details for debugging):

$ makepkg -f
sec   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [ultimate] Moscow Hunt <mh@gmail.com>
ssb   rsa3072 2020-10-15 [E]

==> Making package: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:08 AM EST)
==> Checking runtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Checking buildtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Retrieving sources...
  -> Updating foo git repo...
Fetching origin
==> Validating source files with sha256sums...
    foo ... Skipped
==> Extracting sources...
  -> Creating working copy of foo git repo...
Reset branch 'makepkg'
==> Removing existing $pkgdir/ directory...
==> Entering fakeroot environment...
sec   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [ultimate] Moscow Hunt <mh@gmail.com>
ssb   rsa3072 2020-10-15 [E]

==> Starting package()...
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "foo"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Signing package(s)...
  -> Created signature file foo-1.0.r13-1-any.pkg.tar.zst.sig.
==> Finished making: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:10 AM EST)

Package is created and signed. But now I have clue why it fails in chroot. "Public keyring not found"

Building in chroot fails with:

==> ERROR: The key JZGEUTCPDW5SHN3X does not exist in your keyring.
==> ERROR: Build failed, check /mnt/chroots/arch/myrepo1/moscow/build

But now I know it not only a chroot problem.

Key key JZGEUTCPDW5SHN3X is showed in both `gpg -k` and `sudo gpg --homedir /etc/pacman.d/gnupg/ -k` and also both `gpg --finger JZGEUTCPDW5SHN3X` and `sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X`.  Here output example:

$ sudo pacman-key --list-sigs 2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
pub   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [  full  ] Moscow Hunt <mh@gmail.com>
sig 3        JZGEUTCPDW5SHN3X 2020-10-15  Moscow Hunt <mh@gmail.com>
sig   L      55031C2F942A69BB 2020-10-16  Pacman Keyring Master Key <pacman@localhost>
sub   rsa3072 2020-10-15 [E]
sig          JZGEUTCPDW5SHN3X 2020-10-15  Moscow Hunt <mh@gmail.com>

I check all these commands and I find no problems.

$ sudo pacman-conf GpgDir
/etc/pacman.d/gnupg/

gpg -K JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ -K JZGEUTCPDW5SHN3X

gpg --finger JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X

gpg -k
sudo gpg --homedir /etc/pacman.d/gnupg/ -k

gpg -K
sudo gpg --homedir /etc/pacman.d/gnupg/ -K

gpg --check-signatures JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ --check-signatures  JZGEUTCPDW5SHN3X

sudo gpg --homedir /etc/pacman.d/gnupg/ --check-signatures master-key.archlinux.org

I paste output of all if requested. master-key.archlinux.org has "gpg: 33 good signatures"

My only non-default settings in /etc/makepkg.conf

BUILDENV=(!distcc color !ccache !check sign)
PACKAGER="Moscow Hunt <mh@gmail.com>"
GPGKEY="JZGEUTCPDW5SHN3X"

My only non-default settings in /etc/pacman.conf

[options]
SigLevel    = Required DatabaseOptional
LocalFileSigLevel = Optional

[myrepo1]
Server = file:///home/moscow/repos/$repo/

[myrepo2]
Server = file:///home/moscow/repos/$repo/

[myrepo2]
Server = file:///home/moscow/repos/$repo/

Thanks for looking at my problem and have a great day!

Last edited by moscow-hunt (2021-03-02 00:45:24)

Offline

#2 2021-03-02 00:51:40

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

None of this has anything to do with pacman-key...

makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg and, in a chroot build, /mnt/chroots/arch/myrepo1/moscow/build/.gnupg

Is your key available in the chroot? Or only on the host?

For the record, official Arch tooling does not use makepkg --sign, but runs makechrootpkg and then manually uses gpg --detach-sign.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#3 2021-03-02 02:42:38

moscow-hunt
Member
Registered: 2020-03-25
Posts: 23

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

eschwartz wrote:

None of this has anything to do with pacman-key...

OK!

eschwartz wrote:

Is your key available in the chroot?

No. it get deleted from chroot each build. I think replaced by keyring and trustdb that not contain my key.

I look for all keyring on my system. Outside of chroot, I find GPG keyring in these locations:

/home/moscow/.gnupg/
/etc/pacman.d/gnupg

plus 3 I not touch yet

/usr/share/pacman/keyrings/
/var/lib/archbuild/extra-x86_64/root/etc/pacman.d/gnupg/
/var/lib/archbuild/extra-x86_64/moscow/etc/pacman.d/gnupg/

edit: I not use "Convenience way" to build (extra-x86_64-build). I use mkarchroot and makechrootpkg.

When I first see my key not in chroot, I try this before build:

sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --import my_build_key.sec
sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --list-secret-key JZGEUTCPDW5SHN3X

gpg: Warning: using insecure memory!
sec   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [unknown] Moscow Hunt <mh@gmail.com>
sub   rsa3072 2020-10-15 [E]

ls -1 "$copydir"/build/.gnupg/
private-keys-v1.d
pubring.kbx
pubring.kbx~
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh
trustdb.gpg

copydir=/mnt/chroots/arch/myrepo1/moscow/ or as needed for my repos.

I see my build key in chroot GPG keyring before running makechrootpkg.
Still build fails with same error:

==> ERROR: The key JZGEUTCPDW5SHN3X does not exist in your keyring.

I check again immediately after running makechrootpkg:

sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --list-secret-key JZGEUTCPDW5SHN3X
gpg: Warning: using insecure memory!
gpg: error reading key: No secret key

ls -1 "$copydir"/build/.gnupg/
pubring.kbx
trustdb.gpg

I set up my chroot as here:

CHROOT="/mnt/chroots/arch"
sudo mount -t tmpfs -o defaults,size=20G tmpfs "/$CHROOT"
mkarchroot "/$CHROOT/root" base-devel git tree

If chroot not new I update

sudo arch-nspawn $CHROOT/root pacman -Syu

In troubleshooting I try both cleaning chroot and not before building package but error not change.

makechrootpkg -c -r $CHROOT
makechrootpkg $CHROOT
eschwartz wrote:

For the record, official Arch tooling does not use makepkg --sign, but runs makechrootpkg and then manually uses gpg --detach-sign.

I use makechrootpkg with chroot. I only try makepkg to test outside of chroot for troubleshoot.

eschwartz wrote:

makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg and, in a chroot build, /mnt/chroots/arch/myrepo1/moscow/build/.gnupg

I think makechrootpkg replace keyring on each build and my key then missing. Only started this problem recently. Before, I able to run makechrootpkg and sign my packages. I not aware of any change I make, but somehow I screw up my system. What do I check next. Thank you kindly for your advice eschwartz. Hope you have a great day!

Last edited by moscow-hunt (2021-03-02 02:50:08)

Offline

#4 2021-03-02 03:44:26

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

makechrootpkg -c nukes the chroot and recreates it. So $copydir is destroyed and recreated from $copydir/../root


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2021-03-02 05:51:40

moscow-hunt
Member
Registered: 2020-03-25
Posts: 23

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

eschwartz wrote:

makechrootpkg -c nukes the chroot and recreates it. So $copydir is destroyed and recreated from $copydir/../root

Yes. My build key also disappear when I run without "-c" like so

makechrootpkg $CHROOT

And I view this code in arch-nspawn:

copy_hostconf () {
	unshare --fork --pid gpg --homedir "$working_dir"/etc/pacman.d/gnupg/ --no-permission-warning --quiet --batch --import --import-options import-local-sigs "$(pacman-conf GpgDir)"/pubring.gpg >/dev/null 2>&1
	pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" >/dev/null 2>&1

I check and verify: $(pacman-conf GpgDir) = /etc/pacman.d/gnupg

I check:

sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X

My build key is found with above command.

I understand copy_hostconf() will copy my build key from /etc/pacman.d/gnupg/ to the chroot. Do I misunderstand? What you think I do wrong?

Offline

#6 2021-03-02 06:52:26

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

Primarily the fact that once again, none of this has to do with pacman-key.

The fact that -c by design nukes the entire chroot is an immediately apparent problem which should be obvious from the output... less obvious is that the builduser's home directory is also nuked regardless...

I do not know what people do in order to do gpg signing in the chroot. I'm happy doing it outside the chroot anyway. Maybe bind-mounting $HOME/.gnupg:/build/.gnupg would work, idk.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#7 2021-03-02 07:15:57

moscow-hunt
Member
Registered: 2020-03-25
Posts: 23

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

eschwartz wrote:

I do not know what people do in order to do gpg signing in the chroot. I'm happy doing it outside the chroot anyway. Maybe bind-mounting $HOME/.gnupg:/build/.gnupg would work, idk.

Im confused because it was working for me straight away. I did not pull any trick to get it to work. It worked until few days ago. But OK, I do it outside of the chroot now too. That OK with me.

However, I try to understand this new warning. I get it outside of the chroot. Any idea?

warning: Public keyring not found; have you run 'pacman-key --init'?

$ makepkg -f
sec   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [ultimate] Moscow Hunt <mh@gmail.com>
ssb   rsa3072 2020-10-15 [E]

==> Making package: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:08 AM EST)
==> Checking runtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Checking buildtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Retrieving sources...
  -> Updating foo git repo...
Fetching origin
==> Validating source files with sha256sums...
    foo ... Skipped
==> Extracting sources...
  -> Creating working copy of foo git repo...
Reset branch 'makepkg'
==> Removing existing $pkgdir/ directory...
==> Entering fakeroot environment...
sec   rsa3072 2020-10-15 [SC]
      2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid           [ultimate] Moscow Hunt <mh@gmail.com>
ssb   rsa3072 2020-10-15 [E]

==> Starting package()...
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "foo"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Signing package(s)...
  -> Created signature file foo-1.0.r13-1-any.pkg.tar.zst.sig.
==> Finished making: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:10 AM EST)

You informed me with this

makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg

I check:

$gpg --homedir $HOME/.gnupg --finger JZGEUTCPDW5SHN3X
pub   rsa3072 2020-10-15 [SC]
      HTR8 JUN4 E3XQ GXMS 6XAA W8J2 4CXN JZGE UTCP DW5S HN3X
uid           [  full  ] Moscow Hunt <mh@gmail.com>
sub   rsa3072 2020-10-15 [E]

It seems keyring is found and key is present. So why this?

error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown

Thank you again for reading my question. Hop you have a great day!

Offline

#8 2021-03-02 11:34:52

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

Maybe this has to do with signing repositories and not with signing packages ?

For clarity :

Does pacman accept your key when you try to install a package signed with your key using pacman -U ?

please post the section in pacman.conf that declares your personal repo.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#9 2021-03-02 20:09:07

moscow-hunt
Member
Registered: 2020-03-25
Posts: 23

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

Lone_Wolf wrote:

Maybe this has to do with signing repositories and not with signing packages ?

Thank you for idea!

Lone_Wolf wrote:

Does pacman accept your key when you try to install a package signed with your key using pacman -U ?

$ ls -la
-rw-r--r-- 1 moscow moscow 28573 Mar  2 02:18 foo-1.0.r13-1-any.pkg.tar.zst
-rw-r--r-- 1 moscow moscow   438 Mar  2 02:18 foo-1.0.r13-1-any.pkg.tar.zst.sig

$ sudo pacman -U foo-1.0.r13-1-any.pkg.tar.zst
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) foo-1.0.r13-1

Total Installed Size:  0.08 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                                                                                                                                                               [################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                             [################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                  [################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                            [################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                          [################################################################################################################################] 100%
:: Running pre-transaction hooks...
(1/1) Performing snapper pre snapshots for the following configurations...
==> root: 897
:: Processing package changes...
(1/1) installing foo                                                                                                                                                                                      [################################################################################################################################] 100%
:: Running post-transaction hooks...
(1/1) Performing snapper post snapshots for the following configurations...
==> root: 898
Lone_Wolf wrote:

please post the section in pacman.conf that declares your personal repo.

The only non-default settings in /etc/pacman.conf (from top post)

[options]
SigLevel    = Required DatabaseOptional
LocalFileSigLevel = Optional

[myrepo1]
Server = file:///home/moscow/repos/$repo/

[myrepo2]
Server = file:///home/moscow/repos/$repo/

[myrepo2]
Server = file:///home/moscow/repos/$repo/

Offline

#10 2021-03-03 12:53:28

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: my key: warning: Public keyring not found; run 'pacman-key --init'?

Time to check repo structure / content.

$ ls -lR /home/moscow/repos/myrepo1/

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

Board footer

Powered by FluxBB