Arch Linux

Efka

Member

From: Klaipeda

Registered: 2014-04-27

Posts: 108

Website

Can not install qtile-extras PGP signature could not be verified

Hi, im trying to install qtile-extras from AUR but having issues.

git clone [url]https://aur.archlinux.org/qtile-extras.git[/url]

cd qtile-extras

makepkg -si

and i get this:

ERROR: One or more PGP signatures could not be verified

So lets import this key, open PKBUILD check the key

nvim PKGBUILD

next

sudo pacman-key --recv-keys A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7 

sudo pacman-key --finger A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7

pacman-key --lsign-key  A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7 

makepkg -si

ERROR: One or more PGP signatures could not be verified

Tried only

58A9AA7C86727DF7

Still same.
Tried

sudo pacman-key --init & pacman-key --populate

event added archlinux after

populate

- same issue.
What im doing wrong ?
P.s. fresh Arch Linux install. apart Qtile , kitty , pcmanfm and Firefox - no other things installed
Thanks!

---

IBM Lenovo ThinkPad T61 ; Lenovo ThinkPad X220; Lenovo ThinkPad T440p; Lenovo Thinkpad W520; Lenovo Thinkpad P71; ThinkPad X1 Yoga Gen1;  FrankenPad T25
Asus Z10PE D-16 WS; 2x Intel Xeon E-5 2690V4; 32GB ECC; nVidia Titan V CEO | Asus ROG Gene XI Intel i7-9700k nVidia 3070Ti

mpan

Member

Registered: 2012-08-01

Posts: 1,379

Website

Re: Can not install qtile-extras PGP signature could not be verified

Hello.

Pacman keyring and pacman-key deal with package signatures. The already built packages to be installed.

The error you see comes from makepkg. makepkg downloads sources and then verifies their signatures. It does so using your own, private keyring. In other words, the key must be in your own keyring.

You don’t have to mark that key as trusted or sign it. Its presence in validpgpkeys instructs makepkg to assume it’s trusted.

Verifying authenticity of the source can be skipped using the `--skippgpcheck` option to makepkg. With all the security implications, hence — if possible — this shouldn’t be used.

See makepkg: signature checking in Arch Wiki.

---

Sometimes I seem a bit harsh — don’t get offended too easily!

Efka

Member

From: Klaipeda

Registered: 2014-04-27

Posts: 108

Website

Re: Can not install qtile-extras PGP signature could not be verified

Hello.

Pacman keyring and pacman-key deal with package signatures. The already built packages to be installed.

The error you see comes from makepkg. makepkg downloads sources and then verifies their signatures. It does so using your own, private keyring. In other words, the key must be in your own keyring.

You don’t have to mark that key as trusted or sign it. Its presence in validpgpkeys instructs makepkg to assume it’s trusted.

Verifying authenticity of the source can be skipped using the `--skippgpcheck` option to makepkg. With all the security implications, hence — if possible — this shouldn’t be used.

See makepkg: signature checking in Arch Wiki.

If i understand correctly - to install qtile-extras just use --skippgpcheck ? or create my own ?
P.s. i usually avoid using helpers but PARU installed qtile-extras.
So now i can just delete that key which i imported ?

---

IBM Lenovo ThinkPad T61 ; Lenovo ThinkPad X220; Lenovo ThinkPad T440p; Lenovo Thinkpad W520; Lenovo Thinkpad P71; ThinkPad X1 Yoga Gen1;  FrankenPad T25
Asus Z10PE D-16 WS; 2x Intel Xeon E-5 2690V4; 32GB ECC; nVidia Titan V CEO | Asus ROG Gene XI Intel i7-9700k nVidia 3070Ti

mpan

Member

Registered: 2012-08-01

Posts: 1,379

Website

Re: Can not install qtile-extras PGP signature could not be verified

You can use `--skippgpcheck` to not verify the sources. But you should not, if possible, as this way you can’t verify authenticity of the sources.

Just import or receive the key to your user’s keyring.

The key you imported to pacman’s keyring may be deleted.

---

Sometimes I seem a bit harsh — don’t get offended too easily!

Efka

Member

From: Klaipeda

Registered: 2014-04-27

Posts: 108

Website

Re: Can not install qtile-extras PGP signature could not be verified

You can use `--skippgpcheck` to not verify the sources. But you should not, if possible, as this way you can’t verify authenticity of the sources.

Just import or receive the key to your user’s keyring.

The key you imported to pacman’s keyring may be deleted.

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?

As per 3.5.2 Searching and receiving keys

Or im completely lost ?
Last time i needed to import key was ages ago ...

---

IBM Lenovo ThinkPad T61 ; Lenovo ThinkPad X220; Lenovo ThinkPad T440p; Lenovo Thinkpad W520; Lenovo Thinkpad P71; ThinkPad X1 Yoga Gen1;  FrankenPad T25
Asus Z10PE D-16 WS; 2x Intel Xeon E-5 2690V4; 32GB ECC; nVidia Titan V CEO | Asus ROG Gene XI Intel i7-9700k nVidia 3070Ti

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 13,401

Re: Can not install qtile-extras PGP signature could not be verified

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?

As per 3.5.2 Searching and receiving keys

Also look at 3.5.3 as keyservers only have a subset of published keys, so you may need to try several before finding one that has it.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Efka

Member

From: Klaipeda

Registered: 2014-04-27

Posts: 108

Website

Re: Can not install qtile-extras PGP signature could not be verified

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?

As per 3.5.2 Searching and receiving keys

Also look at 3.5.3 as keyservers only have a subset of published keys, so you may need to try several before finding one that has it.

Got it.
Thank You.

---

IBM Lenovo ThinkPad T61 ; Lenovo ThinkPad X220; Lenovo ThinkPad T440p; Lenovo Thinkpad W520; Lenovo Thinkpad P71; ThinkPad X1 Yoga Gen1;  FrankenPad T25
Asus Z10PE D-16 WS; 2x Intel Xeon E-5 2690V4; 32GB ECC; nVidia Titan V CEO | Asus ROG Gene XI Intel i7-9700k nVidia 3070Ti