You are not logged in.

Pages: 1

#1 2021-09-05 20:19:43

Orionis
Member
Registered: 2018-01-19
Posts: 42

Completely recreate keyring

I have been having issues with my keyring for a while now. Today I got a whole bunch of these:

gpg: key BA1DFB64FFF979E7: "Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
pub   rsa4096 2011-11-29 [SC]
      AB19265E5D7D20687D303246BA1DFB64FFF979E7
uid           [  full  ] Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>

which doesn't seem to be an error but new behavior.

The other bunch, however:

gpg: error retrieving 'thomas@master-key.archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10

are errors.

Is there a way to start completely clean with a new keyring?

I tried this part:
https://wiki.manjaro.org/index.php/Pacm … about_Keys
minus the manjaro part.

However, that doesn't seem to work as pretty much every step generates errors once the existing keyring is renamed/deleted. Step 2 tells me I need to do step 3 first, step 3 will generate the master key but not write it to disk causing step 4 to be unable to sign anything and so on.

I've been googling this question on and off for almost a year and can't seem to find a definitive way of starting with a clean keyring. So can anybody illuminate me?

Offline

#2 2021-09-05 20:36:07

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,560

Re: Completely recreate keyring

https://wiki.archlinux.org/title/Pacman … l_the_keys

Offline

#3 2021-09-05 20:44:34

Orionis
Member
Registered: 2018-01-19
Posts: 42

Re: Completely recreate keyring

If you want to remove or reset all the keys installed in your system, you can remove /etc/pacman.d/gnupg folder as root and rerun pacman-key --init followed by pacman-key --populate archlinux to re-add the default keys. If archlinux-keyring is not up-to-date, it may be necessary to run pacman -S archlinux-keyring before a full system update.

Like I wrote in my initial post...

mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg2
pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: agent_genkey failed: No such file or directory
gpg: key generation failed: No such file or directory
gpg: Done
==> Updating trust database...
gpg: no need for a trustdb check
pacman-key --populate archlinux
==> ERROR: There is no secret key available to sign with.
==> Use 'pacman-key --init' to generate a default secret key.

It is not that easy.

In addition I seem to have broken my renamed files, so my keyring is now completely broken. Good thing I had just updated, as long as the system can still boot I have about a month until I need to run pacman again. I guess I'm about to find out if it can still boot.

Offline

#4 2021-09-05 20:59:18

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,560

Re: Completely recreate keyring

Using some 3rd party gpg agent? Latest version of the gnupg package?

Offline

#5 2021-09-05 21:21:53

Orionis
Member
Registered: 2018-01-19
Posts: 42

Re: Completely recreate keyring

I did a full system update before I started experimenting and the only things from the non-default repos are ZFS, yay and Powershell. None of those should interfere, I try to keep the system as default as possible.

Can I tell pacman to completely ignore signatures so I can still use it? Maybe I can reinstall gnupg and archlinux-keyring that way and see if that does something?

EDIT: I'll try setting Siglevel to Never

EDIT2:
I think I figured it out. After deleting the gnupg directory I need to reboot before running the init.

Unfortunately it doesn't fix the many errors. I guess I'll see if they remain by next time.

In the meantime, if somebody knows what all those errors mea, I'd love to know. Most "no data" errors appear to be normal. The "no user ID for key signature packet of class 10" I have no clue about. The "class 13" & "class 30" will lead to an "==> ERROR: Could not update key: 6BC26A17B9B7018A"

Maybe this is all standard behavior which can be ignored. I have no clue. For now at least it seems to work.

Last edited by Orionis (2021-09-05 21:58:12)

Offline

Pages: 1

Board footer

Powered by FluxBB