Arch Linux

digihash

Member

Registered: 2010-10-24

Posts: 3

Problems with Developer key: Tobias Powalowski

Hi

I imported the key of Tobias Powalowski with pacman-key -r 0x7EDF681F. This imports the key with success, but when I want to update with pacman -Syu, I get this error:
------
error: linux: signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>" is invalid
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

I got this when I received the key of Tobias:
------
gpg: requesting key 7EDF681F from hkp server keyserver.ubuntu.com
gpg: key 7EDF681F: "Tobias Powalowski <tobias.powalowski@googlemail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
==> Updating trust database...
gpg: no need for a trustdb check

I've checked the key of Tobias and this says that he has two addresses linked to this key.
Tobias Powalowski <tpowa@archlinux.org>
Tobias Powalowski <tobias.powalowski@googlemail.com>

Thanks in advance.
Digihash

xc1024

Member

Registered: 2009-11-10

Posts: 51

Re: Problems with Developer key: Tobias Powalowski

error: linux: signature from "Tobias Powalowski
<tobias.powalowski@googlemail.com>" is invalid
error: failed to commit transaction (invalid or
corrupted package)

The problem is not with the developer key, it's with the package signature. Either the signature or package must be different from what they are supposed to be - could be a corruption when downloading. Try re-downloading both of them and see if it works.

digihash

Member

Registered: 2010-10-24

Posts: 3

Re: Problems with Developer key: Tobias Powalowski

I did this, but it still doesn't work. I even re-initialized my trustdb and added and signed the 5 master keys. But it still doesn't work with the key of Tobias. And it is required to upgrade the Linux package.

Thanks for the respons

Gyroplast

Member

From: Germany

Registered: 2002-09-03

Posts: 166

Website

Re: Problems with Developer key: Tobias Powalowski

Greetings!

If we can safely assume the key you've got is in order, it must be either a modified package, an incorrectly signed package, download corruption or lacking trust. Let's check this systematically: First, the key and it's validity:

[gyroplast@vixen ~]$ sudo pacman-key --edit-key 0x7EDF681F
pub  2048R/7EDF681F  created: 2011-07-18  expires: never       usage: SC  
                     trust: unknown       validity: full
sub  2048R/5BF91F41  created: 2011-07-18  expires: never       usage: E   
[  full  ] (1). Tobias Powalowski <tobias.powalowski@googlemail.com>
[  full  ] (2)  Tobias Powalowski <tpowa@archlinux.org>

The important part here is the validity: full. Unknown or marginal validity won't suffice to allow this key's signatures to be considered valid. How is a key made valid? Either by explicitly trusting it yourself, ie. changing the trust: unknown to full, which is not recommended, or by trusting keys that, in turn, sign Tobias' key. These other keys you should explicitly review and trust marginally each should be the five Archlinux Master Signing Keys as described there.

If Tobias' key on your machine is fully valid, we can assume everything's alright with the key itself. It not, find out why not: Make sure you trusted the Master Signing Keys properly, this is the usual culprit.

Having a valid and correct key, but still failing to verify the signature could mean that your download was corrupted or incomplete as already suggested. Choose a different mirror. If that does not help, download one of the packages failing verification manually, along with the accompanying .sig file, save both files in the same directory, and verify the package manually:

[gyroplast@vixen testsig]$ wget -q http://archlinux.limun.org/core/os/i686/linux-3.3.1-1-i686.pkg.tar.xz
[gyroplast@vixen testsig]$ wget -q http://archlinux.limun.org/core/os/i686/linux-3.3.1-1-i686.pkg.tar.xz.sig
[gyroplast@vixen testsig]$ ls -l *
-rw-r--r-- 1 gyroplast gyroplast 40211496 Apr  3 18:34 linux-3.3.1-1-i686.pkg.tar.xz
-rw-r--r-- 1 gyroplast gyroplast      287 Apr  3 18:34 linux-3.3.1-1-i686.pkg.tar.xz.sig
[gyroplast@vixen testsig]$ sha1sum *
77397f57a994e926e82cceff0929d68494065000  linux-3.3.1-1-i686.pkg.tar.xz
d6bae3148abba470650af7e372a829a37e7135fd  linux-3.3.1-1-i686.pkg.tar.xz.sig
[gyroplast@vixen testsig]$ pacman-key -v linux-3.3.1-1-i686.pkg.tar.xz.sig 
gpg: Signature made Tue 03 Apr 2012 06:28:15 PM CEST using RSA key ID 7EDF681F
gpg: NOTE: trustdb not writable
gpg: Good signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>"
gpg:                 aka "Tobias Powalowski <tpowa@archlinux.org>"

If that fails, triple check your downloaded files for correctness. Maybe something is mangling newlines in the files during/after download, or the files aren't downloaded completely. Have someone else download and verify the same files, and if THAT works, let this person give you checksum and size of both files to compare with yours. If you'd tell us here what you're trying to verify, we could surely assist.

As a blind guess I'd expect the problem to lie somewhere within your trustdb, despite your reassurement on the contrary. Check the validity and trust of each of the Master Signing Keys you imported. If you're still stumped, you can trust Tobias' key locally and see if the package installation works then (using --edit-key and the "trust" command).

What may have happened during your attempts to fix the problem is that you created several Pacman Keychain Master Keys, and got them mixed up during trusting the Archlinux keys. Check if you've got more than one like this:

[gyroplast@vixen testsig]$ pacman-key -l pacman@localhost
gpg: NOTE: trustdb not writable
pub   2048R/1C5E1636 2012-01-17
uid                  Pacman Keychain Master Key <pacman@localhost>

Only one key should be returned. This is the key you generated through pacman-key --init earlier, and is used to sign and trust the other keys. If there's something wrong, and you don't have a complex, custom web of trust to lose, eliminate the whole keyring (delete /etc/pacman.d/gnupg) and start over with initializing your keyring and trusting the master keys as described in the Wiki.

Good luck,
  Dennis

---

"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

digihash

Member

Registered: 2010-10-24

Posts: 3

Re: Problems with Developer key: Tobias Powalowski

Thanks for the respons. I managed to install the linux package, but now I've problems with systemd-tools.
I checked the key and it's correct. I tried to download systemd-tools-185-1-i686.pkg.tar.xz, but it constantly interrupted.

Also the .sig file isn't anywhere.

I also changed the mirrorlink a couple of times.

Where can I find this?